micromdm: Invalid Certificate Signature

What version of `micromdm` are you using?

1.7.1

What `micromdm` command did you run?

mdmctl mdmcert vendor -password=MyAwesomePassword -country=US -email=my@email.com  
mdmctl mdmcert push -password=MyAwesomePassword -country=US -email=my@email.com  
mdmctl mdmcert vendor -sign -cert=./mdm-certificates/mdm.cer -password=MyAwesomePassword

What did you expect to see?

Success creating the Apple Push Certificate

What did you see instead?

I followed the quickstart guide but I am having a problem when I upload the PushCertificateRequest.plist file The Apple Push Certificates Portal returns me this error:

Certificate Signature Verification failed
Certificate Signature Verification failed because the signature is invalid.

I am trying to renew an existing certificate, but the portal returns me the same error if I want to create a new one also

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 2
Comments: 33 (25 by maintainers)

Commits related to this issue

Update vendor signature to SHA256 (issue #723) — committed to korylprince/micromdm by korylprince 3 years ago
Updated Apple WWDR intermediate certificate (issue #723) — committed to korylprince/micromdm by korylprince 3 years ago

Most upvoted comments

I just got this response from Apple Support:

So I have some good news and some bad news. From what the engineers are saying it seems that it has to do with the new Apple Worldwide Developer Relations Intermediate Certificate. MDMCert has updated their cert to the new guidelines which uses SHA-2 encryption instead of the older SHA-1. This has the trickle down effect of the creation of CSR’s also need to be updated. From what they could see the provided files are in SHA-1.

My understanding is new MDM vendor certs are SHA256 as opposed to SHA1, and they’re signed with a new intermediate, as @HernanPaez pointed to.

So basically two changes are necessary:

The new intermediate needs to replace the old one in the chain in the request.
The CSR signature needs to be created with SHA256, not SHA1

@jessepeterson will need to update mdmcert.download and mdmctl will need to be updated to reflect these changes.

I can create a PR for the mdmctl changes that @groob pointed to on Slack, but I don’t have a MDM vendor cert so someone else would need to test.

korylprince on Feb 10, 2021

Further FYI for folks watching this issue: MicroMDM v1.8.0 was released with #725 merged in.

jessepeterson on Feb 11, 2021

For anyone using mdmcert.download, @jessepeterson has updated it, and I was able to generate a new request and successfully renew my push cert!

There’s been some confirmation on the MacAdmins slack that the PR I sent likely works, but I’m sure @groob will want more testing before including it.

As part of investigating, I wrote a script that will verify everything in your request (that you upload to identity.apple.com) looks right. It hope it proves useful in diagnosing issues you may have with your request.