Generating a Certificate Signing Request (CSR) for Symantec Mobile Management


Article ID: 155825


Updated On:


Mobile Management


You want to know how to generate a Certificate Signing Request (CSR) for Symantec Mobile Management, and then create and install the certificate.



Services that send notifications to a Mac iOS device must be registered with Apple. The Symantec Mobile Management application uses the Apple Push Notification service to deliver notification messages to the management agent and to the Mobile Device Management (MDM) component of iOS.
The Apple Push Notification service allows the Symantec Mobile Management server to communicate with the device without affecting performance or battery life.
An SSL certificate signed by Symantec and Apple must be installed on the Symantec Mobile Management server. You obtain the certificate by submitting a request to Symantec for a signed certificate. The rest of this article describes the procedure to generate the certificate.
NOTE: You will need a Windows 2003 or 2008 server, and either Firefox or Safari. You cannot use Internet Explorer to complete this workflow. If you cannot access the Apple push certificate portal using Firefox, you will need to use Safari to create the MDM certificate.
Use the following procedures to generate the CSR, create the certificate, and install the certificate:
Generate the Certificate Signing Request
You generate a certificate signing request (CSR) on your MMS server or a Windows 2003/2008 server.

To generate a certificate request
1.        Select Start > Control Panel > Administrative Tools.
2.        Select Internet Information Services (IIS) Manager.
3.        Select the server, and then double-click Server Certificates.
4.        On the Actions menu, click Create Certificate Request and enter the following information:
·   Common Name - The name that is attached to your certificate request.
·   Organization - The name of your organization.
·   Organizational unit - The name of the group or department within your organization
·   City/locality - The city or locality where your organization is located.
·   State/province - The state or province where your organization is located.
·   Country/region - The country or region where your organization is located.

5.        Click Next.
6.        In the CryptographicServiceProviderProperties window, select Microsoft RSA SChannel Cryptographic Provider for the Cryptographic service provider. Set Bit length to 2048.
7.        Click Next.
8.        In the File Name window, type a file path and name or click the ellipsis button to browse.
9.        Click Finish to generate and save the certificate request. The file is saved as a.TXT file.
Attach the CSR file to an email and send it to your Symantec Partner, Symantec Sales Engineer, or <[email protected]>. They should respond back after processing your request with the .plist file you need to complete the CSR process.

Creating the certificate
1.        After you receive the signed CSR from Symantec, use Safari as your web-browser and visit Sign in with a verified Apple ID.
2.        Click Create a Certificate and agree to the Terms of Use.
3.        Navigate to your signed CSR and click Upload. After a moment, your certificate will be available for download.
4.        Download the certificate. The certificate is a .PEM file.
5.        Copy the .PEM file to the server where the CSR was created.
6.        In IIS Manager, select the server and double-click Server Certificates.
7.        On the right, under Actions,choose Complete Certificate.
8.        When prompted, enter the path to the new .PEM file.
  NOTE: You may need to select *.* to see your .PEM file in your chosen path.

9.        Enter a user-friendly name for the certificate and then press OK. The new certificate is now available with a private key.
10.     Select the certificate and under Actions, choose Export.
11.     Enter a path and file name to store the MDM certificate (key-pair) with a password.The exported file has a file-type of .PFX.
  IMPORTANT: Save the file in a safe place. It will need to be installed on every MMS server.

12.    If you are already on the MMS server, you can run the MMC at the console to verify that the MDM certificate is also found in the key-store under Certificates(Local Computer) > Personal. If you are not already at the     server, copy the .PFX file to each MMS server.

Installing the certificate
1.        On each MMS Server, install the certificate. To install the certificate, do the following:
1.        Click Start > Run enter Run mmc and press Enter.
2.        On the MMC menu, select Add/Remove snap-ins.

2.        Select Certificates for Computer Account, then select Local Computer, and then click OK.
3.      If not installed already, install the Apple root and intermediate certificates by doing the followng:
          1. Go to
          2. Download the Apple root CA and then import it to the Trusted Certificate store in the MMC.
          3. Download the Application Integration Certificate from Intermediate certificates and then import it into the Intermediate Certificate store.
4.        Double-click on Certificates (Local Computer), and then select Personal.
5.        To install the certificate, right click, and then from the menu, select Import. Follow the instructions provided, choosing the .PFX file when prompted.

NOTE: Make a note of the subject and thumbprint fields of the certificate Details, This information is needed for MDM/APNS configuration.

NOTE: Email these manual CSR creations to Mobile CSR Request <[email protected]>. They should respond back after processing your request with the .plist file you need to complete the CSR process.