micromdm: Invalid Certificate Signature
What version of micromdm
are you using?
1.7.1
What micromdm
command did you run?
mdmctl mdmcert vendor -password=MyAwesomePassword -country=US -email=my@email.com
mdmctl mdmcert push -password=MyAwesomePassword -country=US -email=my@email.com
mdmctl mdmcert vendor -sign -cert=./mdm-certificates/mdm.cer -password=MyAwesomePassword
What did you expect to see?
Success creating the Apple Push Certificate
What did you see instead?
I followed the quickstart guide but I am having a problem when I upload the PushCertificateRequest.plist file The Apple Push Certificates Portal returns me this error:
Certificate Signature Verification failed
Certificate Signature Verification failed because the signature is invalid.
I am trying to renew an existing certificate, but the portal returns me the same error if I want to create a new one also
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 2
- Comments: 33 (25 by maintainers)
Commits related to this issue
- Update vendor signature to SHA256 (issue #723) — committed to korylprince/micromdm by korylprince 3 years ago
- Updated Apple WWDR intermediate certificate (issue #723) — committed to korylprince/micromdm by korylprince 3 years ago
I just got this response from Apple Support:
My understanding is new MDM vendor certs are SHA256 as opposed to SHA1, and they’re signed with a new intermediate, as @HernanPaez pointed to.
So basically two changes are necessary:
@jessepeterson will need to update mdmcert.download and
mdmctl
will need to be updated to reflect these changes.I can create a PR for the
mdmctl
changes that @groob pointed to on Slack, but I don’t have a MDM vendor cert so someone else would need to test.Further FYI for folks watching this issue: MicroMDM v1.8.0 was released with #725 merged in.
For anyone using mdmcert.download, @jessepeterson has updated it, and I was able to generate a new request and successfully renew my push cert!
There’s been some confirmation on the MacAdmins slack that the PR I sent likely works, but I’m sure @groob will want more testing before including it.
As part of investigating, I wrote a script that will verify everything in your request (that you upload to identity.apple.com) looks right. It hope it proves useful in diagnosing issues you may have with your request.