Encrypt and Sign iOS MobileConfig files with openssl

iPhone Configuration Utiltiy (iPCU) is a great app to create mobileconfig profiles for iOS devices. With the profiles you can configure Wi-Fi and VPNs and install certificates and SMIME identities as well as other functions. I was looking for a way to encrypt the mobileconfig files so they can be securely emailed to the clients. After a little help from various forum posts, I developed a set of openssl scripts to encrypt and sign the config files.

The encryption protects the files in transit. The signature allows the iOS device to assure the file has not been tampered with. You will need a certificate authority root certificate and an iPCU certificate to sign the files. You will also need a certificate for the iOS device that I will call the machine certificate.

Export the configuration profile from iPCU with a name like myProfile.mobileconfig.

To encrypt the payload of the file, you must separate the payload from the rest of the file into a temporary file. Include all the text immediately below the PayloadContent key between and including the <array> </array> tags. Encrypt the payload file as shown with openssl as shown below.

myProfile-payload.tmp = temporary file with just the payload
myProfile-payload-enc.tmp = temporary file with the payload encrypted
machineCert.pem = public key of the machine certficate

openssl smime -encrypt \
        -aes256 \
        -outform pem \
        -in myProfile-payload.tmp \
        -out myProfile-payload-enc.tmp \
        machineCert.pem 

Now replace the clear text payload with the encrypted payload in the mobileconfig file. Change the PayloadContent key with EncryptedPayloadContent. Place the encrypted content between new <data> and </data> tags. Remove the BEGIN PKCS7 and END PKCS7 lines.

You now have an encrypted payload mobileconfig. It was encrypted with the public key of the machine certificate. The machine public and private keys must be on the iOS device to install the config.

Now to sign the file.

myProfile-enc.mobileconfig = profile with encrypted payload
signingCert.pem = public key of the signing certificate
signingKey.pem = private key of the signing certificate 
myProfile-signed-enc.mobileconfig = encrypted and signed mobileconfig ready to deploy

openssl smime -sign \
 -nodetach \
 -in myProfile-enc.mobileconfig \
 -signer signingCert.pem \
 -inkey signingKey.pem \
 -outform der \
 -out myProfile-signed-enc.mobileconfig

The mobileconfig is now encrypted and signed. The same certificate can be used for both but I use a machine cert to encrypt and a different one to sign.

The file can now be transferred to the iOS device by any means such as email or a web page.

Signing the file lets the iOS device verify the integrity of the config file. You will notice a green Verified in the profile list on the iOS device.

I deliver the CA root certificate via email or from a web page. It is a public key so there is not a security issue. Next I deliver the machine cert package as a pkcs12 via a private internal SSL web page. After the iOS device has those items you can email encrypted configs through email or an open web page. The iOS device never has to physically connect to the iPCU.

WiFi settings seem to work in OSX devices also but I was unable to get VPNs or certificate delivery to work on OSX.

The iPCU app can sign and encrypt but it does so with a self signed certificate. The iOS device must be physically attached to the iPCU computer to transfer that self signed cert. The self signed cert is only good for two years and to create another you have to delete the iPCU preference plist and restart the program, then reconnect the iOS device. Profile distribution can also be done with OSX Server but that seemed like overkill to me.

Another post will describe the openssl commands I use to create certificates from my own CA.