Here is the basic idea :
We want to put a entreprise generated cert on idevices, using the apple iPCU utility.
( iOS version 5 is used with the SA at version 7.1R5)
Here is some info from Apple regarding the iPCU utility :
On first launch iPCU creates a self-signed certificate in the Mac OS X keychain or
Windows certificate store (run certmgr.msc and navigate to "ipcu" to view it). This
certificate is then silently installed onto any iDevice that is connected to iPCU, and
cannot be removed. Configuration profiles that are subsequently installed are signed
with this certificate, which allows iDevices to validate profile authenticity.
When you install a configuration profile directly on a device using USB, the
configuration profile is automatically signed and encrypted before being transferred to
the device. iPhone Configuration Utility automatically installs a certificate on the
device for this purpose; you can see the certificate in the Summary pane. The message
This certificate was signed by an untrusted issuerÓ is normal and expected, because
itÕs self-signed. Any updates to this profile must be signed by the same copy of iPhone
Configuration Utility. For this reason, you should use one copy of the utility to
install and export configuration profiles.Ó
We see ( screenshot attached ) that it is complaining that the cert number a81097 bla bla bla is not trusted by the SA.
The problem is how to get this iPCU certificate in the SA boxÉ.
The local cert store of the machine where the iPCU utility is installed, got the ipcu cert in it.
When i try to export it and install it on the SA, it give me " basic constrain failure, missing root or parent CA " which i supposed mean that it does not have the CA of that cert.
I did open a ticket with support, got to level 2, and they never saw that.
Just another point. I don't really care about the iPCU utility. The thing is if i try to install the cert by sending it via email and opening it on the idevice, it's not showing in the junos pulse cert. Is this normal ?
I've stumble on this,: http://stackoverflow.com/questions/7648487/how-to-list-certificates-from-the-iphone-keychain-inside-..., but i'm not sure what it means.
I'm quite sure somebody made this work...
Thanks a lot for the help.
How are you generating the certificate?
Is it self signed certificate or do you have private ca in your network?
If it is self signed certificate you can import that to the SA but if this is a private ca you have to install the private CA certificate in to the SA and iphone
The following KB, even though it is for activesync setup, should expain and help you with certificates and how to install on iPhone using IPCU.
I've ran a few tests and the iPCU should not be the cause of the issue. I've found that the iPCU CA is considered the signer when the iPCU utility signs the mobile configuration file. If you do not sign the mobile configuration file, then the iPCU CA will not appear when you import the configuration. This means when the iOS device states iPCU as a signer, this is only referring to the profile, not the certificate.
I've tested both scenarios (signed and did not sign the mobile configuration file) and this did not change the behavior of client authentication with Junos Pulse. I was able to use the certificate in both scenarios. This should confirm the iPCU CA is not the root cause of the issue. Also, I found it interesting that importing the client certificate worked and did not require to import the root ca to trust the client certificate.
I was able to duplicate this issue when I selected the default client/device certificate within the iOS devices which appears as a hash in the Junos Pulse client. In this case, this certificate is signed by the iPCU CA and the reason why the message states it cannot trust this certificate. If there is only one certificate which appears as a hash in Junos Pulse, this means Junos Pulse does not detect the imported certificate as a valid client authentication certificate. This usually points to an issue with how the certificate was issued and missing the "Client Authentication" key usage on the certificate.
Exact. The client send me back a correctly generated cert and that did the trick. I must say that I had never heard of ipcu and the like before. That have been a nice learning experience. Thanks all for your input.