Apple MDM CSR Signing fails on Signature validation

Question

I'm been wrestling with this issue for the last few days. Wondering if anyone else has encountered this. I'm trying to sign a CSR with my MDM Vendor certificate. I'm following the instructions in

http://adcdownload.apple.com//Documents/mobile_device_management_protocol/mobiledevicemanagement_121211.pdf

The following is the function that calculates the signiature for SHA1WthRSA

private static string DoSign(X509Certificate2 signerCert, byte[] csrDerBytes)
{
    var crypt = (RSACryptoServiceProvider)signerCert.PrivateKey;
    var sha1 = new SHA1CryptoServiceProvider();
    byte[] hash = sha1.ComputeHash(csrDerBytes);
    byte[] signedHash = crypt.SignHash(hash, CryptoConfig.MapNameToOID("SHA1"));            
    return Convert.ToBase64String(signedHash);
}

After attaching this signature to the encoded plist as described, and uploading the request to the apple server (https://identity.apple.com/pushcert), I received:

{"ErrorCode":-80018,"ErrorMessage":"Certificate Signature Verification failed","ErrorDescription":"Certificate Signature Verification failed because the http://www.apple.com/business/mdm\" target=\"_blank\">signature</a> is invalid."}

Anyone know what is wrong?

Found the issue, the signing code is working correctly, it was an issue with the certificate chain, the error returned was misleading as it pointed to the signature. — savagepanda, Mar 27 '12 at 21:22
my issue was the cert chain I sent was using the wrong CA cert, it needed to be from Apple WWDR CA. — savagepanda, May 30 '12 at 21:06

score 3 · Accepted Answer · answered Aug 17 '12 at 22:30

3

Found the issue, the signing code is working correctly, it was an issue with the certificate chain, the error returned was misleading as it pointed to the signature.

my issue was the cert chain I sent was using the wrong CA cert, it needed to be from Apple WWDR CA.

answered Aug 17 '12 at 22:30

savagepanda

857
12
25

I generated push certificate for MDM. Its got a valid subject/topic. When viewed in keychain store it says "This certificate was signed by an unknown authority". There's also no private key associated with it. Any idea whats wrong? – Sahil Khanna Sep 05 '12 at 09:20
1

maybe you don't have the apple root certificates? I think they are available on apple's site for download. http://www.apple.com/certificateauthority/ the no private key is probably because from apple, you get the public part, you need to combine it with the private key to make it a complete p12 file.. usually the tool creating the CSR will do this for you if you complete the request on the same machine.. – savagepanda Sep 11 '12 at 21:05
Thanks for the tip. The "unknown authority" issue is solved now. But I'm still stuck with the .p12 file. I'm using Mac and have followed http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning followed by http://stackoverflow.com/a/9756116/864850 to merge the public/private keys. But still I don't get the private key with the Push certificate in the keychain. Any idea where I could be wrong? – Sahil Khanna Oct 06 '12 at 09:22

Apple MDM CSR Signing fails on Signature validation

1 Answers1