IOS PKIOperation signature certificate's generic CN in mdm enrollment scep step

0
votes

I am developing mdm server and I have a problem with one of enrollment steps. The problem is scep step. I implement a scep server which handles Device CACert request and sends our server certificate in der format. After that, device sends encrypted and signed csr.
But I can not verify signature of message. I think device creates a self-signed-certificate and sign message with it. We think that because signature certificate's common name is changing each "PKIOperation" request. But we must verify this signature because of security.

For example in each 3 enrollment request, certificate of csr signature changes. Their common names are:

 CN=6E4F65AD-1E64-4E4D-A96E-2039EB140041

 CN=2E33C2CC-14B8-47AC-938B-DCC7F8DA8715

 CN=6817ED48-AB79-4FF0-A1A9-42C2AC303672

Note: The other steps of enrollment device sign messages with proper certificate and I can verify them. Only scep PKIOperation request is my problem. Is there any profile flag to set or something to solve this problem?

1
iosmdm

1 Answers

0
votes

I may be wrong in some details, because I touched this about two years ago.

However, as I remember it's part of a protocol

If you take a look at SCEP draft: http://tools.ietf.org/html/draft-nourse-scep-23#page-30 you will see this:

When building a pkiMessage, clients MUST have a certificate to sign
the PKCS#7 [RFC2315] signed-data (because PKCS#7 [RFC2315] requires
it).  Clients MUST either use an existing certificate, or create a
self-signed certificate (see Section 2.3).

-

 If the requester does not have an appropriate existing
 certificate, then a locally generated self-signed certificate
 MUST be used instead.  The self-signed certificate MUST use the
 same subject name as in the PKCS#10 request.

However, I was under impression that iOS device uses certificate/private keys which are built into the device. And this certificate is signed using Apple certs. And actually, as I remember they had exactly the format of CN, which you shown.

So, generally speaking it's ok if device uses self-signed certificate for first communication to the SCEP server (PKIOperation) and uses a certificate issued by your CA later on.