Mobile Device Management iOS 6 profiles “Not Verified”

By on February 19th, 2013 in Technical

There is a difference between the way iOS 5 and iOS 6 handle verified SSL certificates. I have just been installing a cloud based IBM Endpoint Manager solution that included Mobile Device Management for iPhones. The iOS management extender was installed with a verified signed SSL certificates.

During testing I logged in an iPhone running iOS 5.1.1 and the profile appears as “Verified” so the single signed SSL certificate is installed correctly for iOS 5.1.1.

Next I logged in an iPhone running iOS 6.0.1 and the profile appeared as “Not Verified”, this is a problem as the end users will be presented with several screens highlighting that the authenticity of the certificate associated with the profile cannot be verified.

Picture iOS 6 Profile Not Verified

iOS 6 Profile Not Verified

Picture iOS 6 unverified profile

Warning iOS 6 unverified profile

After a bit of searching the internet, it seems that iOS 6 requires the intermediate certificates to be presented as well in order for the Profiles to be verified.

 

 

 

 

How do you get iOS 6 profiles verified with IBM Endpoint Manager’s Mobile Device Management?

1. Download a verified PKCS#7 format certificate that contains the full chain of certificates including the root certificate.

2. Extract the three certificates in PEM format which will give you something similar to the following:

Your certificate

subject=/OU=Domain Control Validated/CN=*.orb-data.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA – G2
—–BEGIN CERTIFICATE—–
MIIE4jCCA8qgAwIBAgISESFdBCDHzs57LaBek+2OqGmfMA0GCSqGSIb3DQEBBQUA….

—–END CERTIFICATE—–

The intermediate certificate

subject=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA – G2
issuer=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
—–BEGIN CERTIFICATE—–
MIIEWjCCA0KgAwIBAgILBACCAAABL07hQUMwDQYJKoZIhvcNAQEFBQAwVzELMAkG….

—–END CERTIFICATE—–

The root certificate

subject=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
issuer=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
—–BEGIN CERTIFICATE—–
MIIDdTCCAl2gAwIBAgILBAACCAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG…

—–END CERTIFICATE—–

3. Create a .PEM file that contains just your certificate, this must start with

—–BEGIN CERTIFICATE—– and end with —–END CERTIFICATE—–

4. Create a .PEM file that contains both the intermediate certificate and the root certificate.

This file must start with the intermediate certificate

—–BEGIN CERTIFICATE—– and end with —–END CERTIFICATE—–

Then the root certificate

—–BEGIN CERTIFICATE—– and end with —–END CERTIFICATE—–

 

5. Configure the iOS management extender to use both of the above certificates.

Configure iOS extender

Configure intermediate certificates

The Intermediate certificate is not optional if you want to support iOS 6 devices.

Visits: 140