How to Generate and Install Identity Certificate for iOS MDM Configuration Profile


1 views

When configuring Mobile Device Management (MDM) for iOS devices, many developers encounter issues with the identity certificate requirement. The iPhone Configuration Utility explicitly requires this certificate for device authentication, but the process isn't always straightforward.

To create a valid identity certificate, you'll need to follow these steps:

# Generate private key
openssl genrsa -out mdm.key 2048

# Create Certificate Signing Request (CSR)
openssl req -new -key mdm.key -out mdm.csr -subj "/CN=com.yourcompany.mdm/O=Your Organization/C=US"

# Generate self-signed certificate (valid for 1 year)
openssl x509 -req -days 365 -in mdm.csr -signkey mdm.key -out mdm.crt

# Convert to PKCS#12 format for iOS
openssl pkcs12 -export -inkey mdm.key -in mdm.crt -out mdm.p12 -name "MDM Identity"

After generating the certificate:

  1. Open iPhone Configuration Utility
  2. Navigate to the Credentials section
  3. Import the .p12 file (you'll need to provide the export password)
  4. Ensure the certificate appears with a valid trust chain

Certificate not appearing in Identity dropdown: This typically occurs when:

  • The certificate isn't properly imported into the Credentials payload
  • The certificate lacks proper key usage extensions (must include digitalSignature)
  • The trust chain is incomplete

Profile installation failures: If you see "The identity certificate could not be found" error, verify:

  • The certificate common name (CN) matches your MDM payload identifier
  • The certificate is properly referenced in the configuration profile XML

For enterprise deployments, consider setting up a SCEP server:

# Example SCEP configuration in mobileconfig

    URL
    https://scep.yourcompany.com/scep
    Name
    SCEP
    Subject
    
        CN=com.yourcompany.mdm
    
    Challenge
    shared-secret
    Key Size
    2048

After installation, check the device logs for these positive indicators:

default 11:22:33.123456 AM mdmd: MDM Identity certificate found: CN=com.yourcompany.mdm
default 11:22:33.123457 AM mdmd: Successfully enrolled with MDM server

Remember that identity certificates need to be renewed before expiration to maintain MDM functionality.

When configuring Mobile Device Management (MDM) for iOS devices, the identity certificate serves as the device's authentication credential when communicating with your MDM server. The certificate must meet specific requirements to be recognized by Apple's MDM framework.

The identity certificate must:

  • Be a valid X.509 certificate with a private key
  • Include the extended key usage (EKU) for client authentication (1.3.6.1.5.5.7.3.2)
  • Be properly signed by a trusted CA (or explicitly trusted on the device)
  • Have a subject common name (CN) that matches your MDM configuration

Here's how to create a valid certificate using OpenSSL:


# Generate private key
openssl genrsa -out mdm.key 2048

# Create CSR
openssl req -new -key mdm.key -out mdm.csr -subj "/CN=com.yourcompany.mdm"

# Create certificate config file (mdm.ext)
cat > mdm.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
EOF

# Sign the certificate (using your CA)
openssl x509 -req -in mdm.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mdm.crt -days 365 -sha256 -extfile mdm.ext

After generating the certificate:

  1. Open iPhone Configuration Utility
  2. Create a new configuration profile
  3. Go to Credentials section and import both the certificate (mdm.crt) and private key (mdm.key)
  4. In the Mobile Device Management section, the certificate should now appear in the Identity dropdown

If the certificate doesn't appear:

  • Ensure the private key is properly associated with the certificate
  • Verify the certificate includes clientAuth EKU
  • Check that the certificate chain is complete (include intermediate CAs if needed)
  • Try exporting the certificate and key as a PKCS#12 (.p12) file and import that instead

For larger deployments, consider setting up a SCEP server:


# Example SCEP configuration for iOS
<dict>
    <key>URL</key>
    <string>https://your-scep-server/scep</string>
    <key>Name</key>
    <string>Company MDM CA</string>
    <key>Subject</key>
    <array>
        <array>
            <array>
                <string>CN</string>
                <string>com.yourcompany.mdm</string>
            </array>
        </array>
    </array>
</dict>

Remember that the identity certificate is just one component of a complete MDM solution. You'll also need to properly configure your MDM server and ensure all communication uses proper encryption.