Sign an iPhone configuration profile with Server certificate

Question

I already found a thread with a similar topic but I wasn't able to solve my problem this way, so I hope I get help here.

I'm trying to sign a iPhone config profile with my servers SSL certificate on Mac OS X:

openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile ca.crt -outform der -nodetach

Unfortunately I get the following error

unable to load certificate

I'm don't know what I'm doing wrong - I use the following certs:

server.crt:

-----BEGIN CERTIFICATE-----
MIIHV.....
-----END CERTIFICATE-----

server.key:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC, .....

sHK1......
-----END RSA PRIVATE KEY-----

ca.crt: from http://www.startssl.com/certs/

All certificates are in the same folder 'iphone' I changed to with

ch /Volumes/Daten/.../iphone

So now I'm on

localhost:iphone Stefan$

Many thanks for your help in advance!

Regards Stefan

Answer 1

Let's imagine that you are using Let's Enrcypt, you might get certificate.pem, privatekey.pem, chain.pem, fullchain.pem.

-signer should be certificate.pem which is the certificate of the server.

-inkey should be private.key of the server.

-certfile should be fullchain.pem

The chain.pem is the certificate chain including CA ROOT without certificate.pem, while fullchain.pem including everything.

Answer 2

The answer is:

openssl smime -sign -signer cert.pem -inkey key.pem -certfile ca-bundle.pem -nodetach -outform der -in profile-uns.mobileconfig -out profile-sig.mobileconfig

with ca-bundle.pem is the cert chain of a CA.