Jump to content

Mirek S.

ESET Staff
  • Content Count

    98
  • Joined

  • Last visited

  • Days Won

    2

Posts posted by Mirek S.


  1. Hello,

    Apple APNS endpoint has this chain

     0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=gateway.push.apple.com
       i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
     1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
       i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)

    So required root CA is "Entrust.net Certification Authority (2048)" - this however might vary on Your geolocation. You might test this by openssl - "openssl s_client -connect gateway.push.apple.com:2195"

    Root CA must be installed into system certificate store, MDM does not use CA machinery built into ESMC.

    HTH,

    M.


  2. Hello,

    Short answer: Please add root CA of your 3rd party certificate into pkcs#12 which is configured as HTTPS certificate. See for example this thread.

    Long answer: Certificates provided by 3rd party certification authorities (usually) don't contain root CA as trust is established by system certificate store and certificate and chain provided by HTTPS server. We require root CA in configured pkcs#12 as we establish MDM - device trust during device enrollment - we install root CA onto device. In our wording we note chain even if - only - root CA is missing (as it's impossible to determine whenever chain is complete without root CA, even thought it's not technically correct).

    HTH,

    M.

×
×
  • Create New...