The Registration Authority's response is invalid

Question

Trying to setup an IOS MDM server and stuck with iphone trying to get the CA certificate from the scep.

I'm using openca as my scep server with a self signed cert. The scep request from the iphone comes in with parameters : operation=GetCACert&message=EnrollmentCAInstance, but the iphone does not like the response.

Using the sscep tool to test my scep server and i confirm that the CA and RA certificates are being sent out in response to the request.

So can someone shed some light on: - any special headers (mime type et al) that is required by apple in the scep GetCACert response? - should the repsonse be a binary response or base64 encoded or any other type of format? - does the scep have to have any relationship with my mdm server (ie: in terms of common root certificate or the cert used to sign the mdm response to the iphone in the initial profile request)? - Anyone know of a public scep server i can access to check what a valid GetCACert resopnse looks like?

Answer 1

I worked with iOS SCEP quite long time ago. So, don't remember all details. However, I have answers to several of your questions:

does the scep have to have any relationship with my mdm server

No. CA/RA are absolutely stand alone entity and doesn't have to have anything in common with mdm.

Anyone know of a public scep server i can access to check what a valid GetCACert resopnse looks like ?

You can take a look at jSCEP. It's open source light weight SCEP implementation and I know that it works with iOS.

I would recommend to set it up and check what it will return.