How to create an iOS Distribution, Push (APN) and Provisioning Profile for Symantec Mobility: Suite

book

Article ID: 181738

calendar_today

Updated On:

Products

Mobility Suite

Issue/Introduction

 

Resolution

Contents

Create a CSR for Distribution:
In-House Distribution/Code-signing certificate

Import, convert and export the distribution certificate
Upload to Mobility
Create a CSR for Push:
Push Certificate
Import, convert and export the push certificate
Upload Push certificate to Mobility

Distribution Profile. 10

 Note: Below are step-by-step instructions on how to create the series of certificates necessary to build the iOS Symantec Mobility Work Hub agent (client).

Tip: Create three folders named: Distribution, Push, Provisioning and MDM (to create iOS MDM, follow HOWTO84066); to keep track of each certificate with its associated CSR and P12/PFX.

Create a CSR for Distribution:

Note: Use the developer's email address or leave the CN blank (not allowed in the IIS-Method).  Choose from one of the three methods below:

OSX-Method
Linux-method
IIS-Method

OSX-Method:

1.       Open Keychain access in the Finder by browsing to Applications > Utilities.

2.       Select the login keychain in the upper left-hand corner. 

Note: All work will be done from the login keychain.

3.       Select Keychain Access > Certificate Assistant at the top and select the Request a Certificate from a Certificate Authority option.  Fill out the form with user information and select the Save to disk option and click continue. 

4.       Save this CSR to either the Distribution folder (or to any ubiquitous location).

5.       Once the CSR is created, continue to In-House Distribution/Code-signing certificate.

Linux-method:

1.       From any Linux box with openssl installed enter the following, as root:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
For Example:


2.       Download the CSR.csr to the workstation using WinCP or Putty as described in HOWTO110248 and save it to the Distribution folder (or any ubiquitous location).

3.       Once the CSR is created, continue to In-House Distribution/Code-signing certificate.

IIS-Method (HOWTO59214)

See HOWTO59214 to create a CSR in IIS. Once the CSR is created, continue to In-House Distribution/Code-signing certificate.

In-House Distribution/Code-signing certificate

1.       Log into the https://developer.apple.com portal and click member center

2.       Under Technical Resources and Tools click iOS:

3.       Now click Certificate, Identifiers & Profiles from the right:

4.       Select Certificates from the options and Distribution. Click the + symbol and select the In-House and Ad Hoc certificate option.  Use the CSR created from Create a CSR for Distribution: click Choose File… and browse to the CSR file.

5.       Click Generate and Download the ios_distribution.cer saving it to the Distribution folder.

Tip: Saving each CSR and certificate to their respective folders will greatly assist in gathering the required information to renew these certificates in the future.

Note: If the In-house Ad Hoc certificate option is greyed out, either the account is not an enterprise developer account or the maximum of two distribution certificates has already been created.  In the second case, it will be necessary to obtain a P12 of this distribution certificate from whoever produced it.  Revoking or deleting these certificates is not advisable as this will invalidate every app that has been distributed using the certificate.

6.       Once the certificate is created continue to Import, convert and export certificates to convert the downloaded certificate to PFX/P12 format..

Import, convert and export the distribution certificate

Note: For this step there are three options shown.  Choose which option is most familiar:

OSX-Method:
Linux-Method:
IIS-Method

OSX-Method:

1.       Download the newly created certificate (ios_distribution.cer) and install it to the keychain by opening the certificate with the Keychain application or manually importing the cert using the Keychain application:

Tip: To install or open any certificate in Keychain, simply click on the certificate, it will open in Keychain, by default.

 

2.       The private key should be visible; associated with the certificate on the keychain as shown below:

3.       Right-click on the certificate and select Export.  Save the exported Certificate as a Personal Information Exchange (P12) in the Distribution folder.  Create a complex password to protect the P12.

4.       Once the certificate has been successfully exported continue to Upload to Mobility.

Linux-Method:

1.       Take the downloaded certificate (ios_distribution.cer) from the Apple Developer site and upload it to the same Linux machine, following HOWTO110248.

2.       From the Linux machine, use OpenSSL to convert the ios_distribution.cer or aps_production.cer to PEM format using:
openssl x509 -inform der -in ios_distribution.cer -out ios_distribution.pem

3.       Convert the ios_distribution.cer or aps_production and privateKey.key file into a p12 using the following command, entering a complex password to secure the file:

openssl pkcs12 -export -out ios_distribution.pfx -inkey privateKey.key -in ios_distribution.pem

Important:  The private key file will need to be accessible for the above command to work.  In this example, the private key is in the same directory as the ios_distribution.pem certificate.  If it is protected with a password, enter the password used to generate the key.

 

4.       Download the ios_distribution.pfx to the workstation using PSCP, WinCP or Filezilla, again following HOWTO110248.   From the workstation download the ios_distribution.pfx. Save this to the Distribution folder.

Tip: For instruction on how to transfer files between a Linux and Windows, see HOWTO110248.

5.       Once the certificate has been successfully exported and saved, continue to Upload to Mobility.

IIS-Method

1.       From the same windows machine used to generate the CSR, go to Start > search for MMC and open MMC.

2.       From within MMC go to File > Add/Remove Snap-in > Certificates and click Add.

3.       Select Computer account and Next.

4.       Ensure that Local computer is selected and click Finish.

5.       Now OK to create the new snap-in.

6.       Expand the Certificates (Local Computer) > Personal > Certificates.

7.       Right click on certificates and select All Tasks > Import.

8.       Browse to the ios_distribution.cer.

9.       Ensure that Place all certificates in the following store: Personal is selected and click Next.

10.    Review the import information and click Finish.

Note: If asked, mark the key as exportable and include all extended properties.

11.    Allow up to 1 minute for the import to complete.

12.    Verify that the private key has been associated with the certificate by looking for a small key symbol over the certificate as shown below:

13.    If no key icon is showing, be sure that the machine has Apple’s root certificate authority added as a trusted Root Certificate and repeat 1-14.

Tip: If the key is still not showing download and install all of Apples certificates found here, into the trusted root Certificate Authority store, recreate the CSR via IIS and repeat.

14.    Once a key is shown, right click on the certificate and go to All Tasks > Export.

15.    Click Next.

16.    Select Yes, export the private key and click Next.

17.    Ensure that Personal Information Exchange – PKCS #12 (.PFX) is selected and Include all certificates in the certificate path if possible and Export all extended properties are checked and click Next.

18.    Set a complex password for the PFX file and Next:

19.    Name and Save the file to the Distribution folder or an ubiquitous location.

20.    Once the certificate has been successfully exported continue to Upload to Mobility.

Upload to Mobility

Upload the .p12/pfx certificate to the App Center Admin Console: Settings > Certificates > Apple/iOS Certificates; under the Code-signing section and click Upload in the upper-right of the page.

Once the certificate has been uploaded to the Mobility server, continue to Create a CSR for Push (HOWTO110247).

Create a CSR for Push:

Note: Use the developer's email address for Common Name (CN) or leave the CN blank (not allowed in the IIS-Method).  Choose from one of the three methods below:

OSX-Method
Linux-method
IIS-Method

OSX-Method:

1.       Open Keychain access in the Finder by browsing to Applications and Utilities

2.       Select the login keychain in the upper left-hand corner. 

Note: All work will be done from the login keychain.

3.       Select Keychain Access > Certificate Assistant at the top and select the Request a Certificate from a Certificate Authority option.  Fill out the form with user information and select the Save to disk option and click continue. 

Note: The common name (CN) is arbitrary.

4.       Save this CSR to the Push folder (or to any ubiquitous location).

5.       Once the CSR is created, continue to Push Certificate.

Linux-method:

1.       From any Linux box with openssl installed enter the following, as root:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
For Example:


2.       Download the CSR.csr to the workstation using WinCP or Putty as described in HOWTO110248.

3.       Once the CSR is created, continue to Push Certificate.

IIS-Method (HOWTO59214)

See HOWTO59214 to create a CSR in IIS.  Once the CSR is created, continue to Push Certificate.

Push Certificate

1.       Log into the https://developer.apple.com portal and click member center at the head of the page.

2.       Under Technical Resources and Tools click iOS.

3.       Now click Certificate, Identifiers & Profiles from the right.

4.       Select the Identifiers option from the list.

5.       On the left under Identifiers, select App IDs and the  (+) symbol at the top:

6.       Fill in the App ID Description Name field with something unique to identify the App ID from others, such as Your Company Mobile Agent.

7.       App Services Select Push Notifications or Services

8.       App ID Prefix should be the Team ID, if any, or the only option.

9.       Explicit App ID is the domainSuffix.yourDomain.subDomain.installer For example if the App Center resides at: https://mobility.acme.com the Bundle ID would be: com.acme.mobility.installer.

10.    Reload the App ID’s console by clicking on App ID’s on the left; expand the newly created App ID and select the Settings button:

 

11.    Scroll down and under the Push Notifications options list select Create Certificate under the Production SSL Certificate section.

12.    Upload the new CSR file created from Create a CSR for Push; click Generate and Download; save this file to the Push folder (to keep track of it).

13.    Refresh the App ID console and expand the App ID and verify that a Production SSL Certificate has been created.

14.    Once the aps_production.cer has been created, continue to Import, convert and export the push certificate.

Import, convert and export the push certificate

Note: For this step there are three options shown.  Choose which option is most familiar:

OSX-Method:
Linux-Method:
IIS-Method

OSX-Method:

1.       Take the downloaded certificate (apn_production.cer) and install it to the keychain by opening the certificate with the Keychain application or manually importing the cert using the Keychain application:

 

2.       The private key should be visible; associated with the certificate on the keychain as shown below:

3.       Right-click on the certificate and select Export.  Save the exported Cert as a Personal Information Exchange (P12) in the Code-Signing folder.

4.       Once the certificate has been successfully exported continue to Upload Push certificate to Mobility.

Linux-Method:

1.       Take the downloaded certificate (apn_production.cer) from the Apple Developer site and upload it to the same Linux machine, following HOWTO110248.

2.       From the Linux machine use OpenSSL to convert the aps_production.cer to PEM format using:
openssl x509 -inform der -in aps_production.cer -out aps_production.pem

3.       Convert the aps_production.cer and its privateKey.key file into a p12 using the following command, entering a complex password to secure the file:

openssl pkcs12 -export -out ios_distribution.pfx -inkey privateKey.key -in ios_distribution.pem

Important:  The private key file will need to be accessible for the above command to work.  In this example, the private key is in the same directory as the pem certificate.  If it is protected with a password, enter the password used to generate the key. Do not mix this private key up with the privateKey.key used to produce the ios_distribution.cer.

4.       Download the aps_production.pfx to the workstation following HOWTO110248; or any other SCP method.

5.       Once the certificate has been successfully exported continue to Upload Push certificate to Mobility.

IIS-Method

1.       From the same Windows machine used to generate the CSR, go to Start > search for MMC and open MMC.

2.       From within MMC go to File > Add/Remove Snap-in > Certificates and click Add.

3.       Select Computer account and Next.

4.       Ensure that Local computer is selected and click Finish.

5.       Now OK to create the new snap-in.

6.       Expand the Certificates (Local Computer) > Personal > Certificates.

7.       Right click on certificates and select All Tasks > Import.

8.       Browse to the aps_distribution.cer.

9.       Ensure that Place all certificates in the following store: Personal is selected and click Next.

10.    Review the import information and click Finish.

Note: If asked, mark the key as exportable and include all extended properties.

11.    Allow up to 1 minute for the import to complete.

12.    Verify that the private key has been associated with the certificate by looking for a small key symbol over the certificate as shown below:

13.    If no key icon is showing, be sure that the machine has Apple’s root certificate authority-certificates are added as a trusted Root Certificate and repeat 1-14.

Tip: If the key is still not showing, recreate the CSR via IIS and repeat.

14.    If a key is shown, right click on the certificate and go to All Tasks > Export.

15.    Click Next.

16.    Select Yes, export the private key and click Next.

17.    Ensure that Personal Information Exchange – PKCS #12 (.PFX) is selected and Include all certificates in the certificate path if possible and Export all extended properties are checked and click Next.

18.    Set a complex password for the PFX file and Next:

19.    Name and Save the file to a ubiquitous location.

20.    Once the certificate has been successfully exported, continue to Upload Push certificate to Mobility.

Upload Push certificate to Mobility

Upload the .p12/pfx push certificate to the App Center Admin Console: Settings > Certificates > Apple/iOS Certificates; under the Push Certificate section:

Once the certificate has been successfully uploaded to the console, continue to the Distribution Profile step.

Distribution Profile

1.       A distribution provisioning profile is needed to build the iOS Work Hub Agent.  Go to https://developer.apple.com and enter into the iOS Dev Center.  Select Certificates, identifiers & Profiles in the upper-right.

2.       Select Provisioning Profiles from the 4 options:

 

3.       Click the + button at the top:

 

4.       Under the area labeled Distribution Select In House and click continue:

5.       Next, select the App ID that was created from the Creating Certificates for App Center section and select Continue:

 

 

6.       Select the Distribution certificate by clicking the radio button to its left and click Continue:

7.       Name the iOS Provisioning Profile with something unique.  Advance to the next screen after verifying that the App ID and Developer Certificate are both included in the profile.

8.       Download the Provisioning Profile to the workstation:

The below three certificates should now be created:

·         iOS Distribution Certificate (also known as the code-signing certificate) (P12 or PFX)

·         APNS (Push) Certificate (P12 or PFX)

·         Mobile Provisioning Profile (for the above APNS: App-id).

9.       Verify that the certificates are uploaded to Mobility by navigating to Settings > Certificates > Apple/iOS Certificates.

 

 

Attachments