Signing iOS mobileconfig files with your certificate

If you’ve ever used Apple’s iPhone Configuration Utility, you’ve probably noticed that it says ‘Unsigned’ when you send the .mobileconfig file to your device. To sign the profile, export or email the config file to yourself, have your certificate files handy, and type the following:

openssl smime \
-sign \
-signer your-cert.pem \
-inkey your-priv-key.pem \
-certfile TheCertChain.pem \
-nodetach \
-outform der \
-in ConfigProfile.mobileconfig \
-out ConfigProfile_signed.mobileconfig

The files you’ll need are:

your-cert.pem – this is the certificate you’ve been issued
your-priv-key.pem – this is your private key
TheCertChain.pem – this is the certificate chain (optional, in some cases)
ConfigProfile.mobileconfig – This is the unsigned copy of your configuration profile

The original instructions are located here.

7 thoughts on “Signing iOS mobileconfig files with your certificate”

  1. Thanks that was useful.
    Also would you know how to get the certificate/public key out of a signed profile.
    I get a response from iphone/ipad during MDM registration and I need to take out public key from it so that I can encrypt when I send mobileconfig to iphone/ipad

  2. can you tell me where I can get these files?

    your-cert.pem – this is the certificate you’ve been issued
    your-priv-key.pem – this is your private key
    TheCertChain.pem – this is the certificate chain (optional, in some cases)

  3. Hi,
    thanks for this info. However, I create a valid configuration profile using iPhone Configuration Utility. I can install this profile from my webserver. But if I try signing it with my server certificate using your code, it won’t work. I’m testing ios 6, not sure if that is relevant.
    Thank you!

  4. Hey There. I have been attempting the above OpenSSL command with some files i found in ‘/etc/certificates/’ however it gives a bad decrypt error. I then tried exporting the certificate issued to me through the Keychain Access and then get an ‘Expecting: TRUSTED CERTIFICATE’ error. I’m just wondering, where exactly do we get the said files..whether they are located at some default location on the system or exported or requested via Keychain Access.

  5. You’ll need to use certificates you’ve purchased from a company such as DigiCert or RapidSSL. Self-signed certificates won’t work (unless you’ve installed a CA previously on the device).

  6. Thank you, that worked for me. Great! I was searching so long for this! Could you please tell me how to use this with PHP on a web server?

Leave a Comment