How to encrypt *.mobileconfig files?

I am using Configuring Multiple Devices Using Profiles

This is the documentation I'm looking at

https://developer.apple.com/documentation/devicemanagement/configuring_multiple_devices_using_profiles

I'm confused by the documentation below

Encrypt and Sign a Profile

Both iOS and macOS support using encryption to protect the contents of profiles from unauthorized access. The encrypted profile can only be decrypted using a private key previously installed on a device. To encrypt a profile:

  1. Remove the PayloadContent array and serialize it as a property list. Note that the top-level object in this property list is an array, not a dictionary.

  2. CMS-encrypt the serialized property list as enveloped data.

  3. Serialize the encrypted data in DER (Distinguished Encoding Rules) format.

  4. Set the serialized data as the value of as a data property list item in the profile, using the EncryptedPayloadContent key. 


Signing a profile guarantees data integrity. To sign a profile, place the XML property list in a DER-encoded, CMS Signed Data structure.

The documentation states that a total of four steps are required. These are the steps I wrote according to the documentation.

I now have an unencrypted mobileconfig file with the following content

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>FullScreen</key>
			<true/>
			<key>Icon</key>
			<data>
			iVBORw0KGgoAAAANSUhEUgAAAFMAAABXCAYAAAB4I3kWAAAAAXNS
			R0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7D
			AcdvqGQAAADWSURBVHhe7dChAQAgDMCwwf8/A4ITIhtT33WeCbF/
			AzQTaibUTKiZUDOhZkLNhJoJNRNqJtRMqJlQM6FmQs2Emgk1E2om
			1EyomVAzoWZCzYSaCTUTaibUTKiZUDOhZkLNhJoJNRNqJtRMqJlQ
			M6FmQs2Emgk1E2om1EyomVAzoWZCzYSaCTUTaibUTKiZUDOhZkLN
			hJoJNRNqJtRMqJlQM6FmQs2Emgk1E2om1EyomVAzoWZCzYSaCTUT
			aibUTKiZUDOhZkLNhJoJNRNqJtRMqJlQM5mZC+DNBKoqfY8fAAAA
			AElFTkSuQmCC
			</data>
			<key>IsRemovable</key>
			<true/>
			<key>Label</key>
			<string>test</string>
			<key>PayloadDescription</key>
			<string>Adds a Web Clip.</string>
			<key>PayloadDisplayName</key>
			<string>Web Clip (test)</string>
			<key>PayloadIdentifier</key>
			<string>com.qqq.webclip1</string>
			<key>PayloadOrganization</key>
			<string></string>
			<key>PayloadType</key>
			<string>com.apple.webClip.managed</string>
			<key>PayloadUUID</key>
			<string>D53575A8-FC80-442A-A1CB-58B14E7048E1</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Precomposed</key>
			<true/>
			<key>URL</key>
			<string>http://www.google.com</string>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string></string>
	<key>PayloadDisplayName</key>
	<string></string>
	<key>PayloadIdentifier</key>
	<string>com.qqq</string>
	<key>PayloadOrganization</key>
	<string></string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>D53575A8-FC80-442A-A1CB-58B14E7048E1</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>
  1. Remove the PayloadContent array and serialize it as a property list. Note that the top-level object in this property list is an array, not a dictionary.

Is this the serialized property list? Encrypt this string?

<array>
	<dict>
		<key>FullScreen</key>
		<true/>
		<key>Icon</key>
		<data>
		iVBORw0KGgoAAAANSUhEUgAAAFMAAABXCAYAAAB4I3kWAAAAAXNS
		R0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7D
		AcdvqGQAAADWSURBVHhe7dChAQAgDMCwwf8/A4ITIhtT33WeCbF/
		AzQTaibUTKiZUDOhZkLNhJoJNRNqJtRMqJlQM6FmQs2Emgk1E2om
		1EyomVAzoWZCzYSaCTUTaibUTKiZUDOhZkLNhJoJNRNqJtRMqJlQ
		M6FmQs2Emgk1E2om1EyomVAzoWZCzYSaCTUTaibUTKiZUDOhZkLN
		hJoJNRNqJtRMqJlQM6FmQs2Emgk1E2om1EyomVAzoWZCzYSaCTUT
		aibUTKiZUDOhZkLNhJoJNRNqJtRMqJlQM5mZC+DNBKoqfY8fAAAA
		AElFTkSuQmCC
		</data>
		<key>IsRemovable</key>
		<true/>
		<key>Label</key>
		<string>test</string>
		<key>PayloadDescription</key>
		<string>Adds a Web Clip.</string>
		<key>PayloadDisplayName</key>
		<string>Web Clip (test)</string>
		<key>PayloadIdentifier</key>
		<string>com.qqq.webclip1</string>
		<key>PayloadOrganization</key>
		<string></string>
		<key>PayloadType</key>
		<string>com.apple.webClip.managed</string>
		<key>PayloadUUID</key>
		<string>D53575A8-FC80-442A-A1CB-58B14E7048E1</string>
		<key>PayloadVersion</key>
		<integer>1</integer>
		<key>Precomposed</key>
		<true/>
		<key>URL</key>
		<string>http://www.google.com</string>
	</dict>
</array>

I don't know which certificate to use for encryption. Does the APP client need to install a specific private key?

How to encrypt *.mobileconfig files?
 
 
Q