Recently needed the ability to sign .mobileconfig files and didn’t want to rely on a private key being on a client device. This java project is meant to sign .mobileconfig files for distribution to iOS, tvOS, iPadOS and macOS devices. Built to be hosted in a Lambda so you don’t need to have keys in a client-side app (wouldn’t be too challenging to move to a Google Cloud Function). Download it at https://github.com/krypted/mobileconfigsigner
Lambda Input parameters, if you call if from a web or swift app:
- bucketName – this is the name of the S3 bucket that will hold the pem files + file to sign
- signerFile (e.g. ca.key in example source)- name of the file in S3 bucket; this file you supplied as part of the -signer variable
- keyFile (e.g. key.pem in example source) – name of the file in S3 bucket; this file you supplied as part of the -inkey variable
- certFile – (e.g. cert.pem in example source) name of the file in S3 bucket; this file you supplied as part of the -certfile variable
- fileToSign – (e.g. profiletemplate in example source) name of the file in S3 bucket; this is the file you used as part of the -in variable
This function generates byte output to the console, that you can copy and use as you like, or pipe into another service.
Important:
- the role you assing to the lambda function needs to have access to the S3 bucket, a sample policy would be: “Version”: “2019-09-25”, “Statement”: [{ “Effect”: “Allow”, “Action”: [ “s3:” ], “Resource”: [ “arn:aws:s3:::mybucket”, “arn:aws:s3:::mybucket/” ] }]
Also, the certs in the example were self-signed and generated from my laptop. I left them in as samples but you should replace them with publicly created objects via a 3rd party signer. The password for the example certs used is just “test”. You could also add a bit of logic to use Amazon’s Secrets Manager instead.