Unable to test ACME payload

Hi @MDMiOSDev,

The demo is based on step-ca, and currently, there's already some support in the master branch. I'm the main developer of that feature, let me know if you need some help on setting it up.

Hi @MDMiOSDev and @maaino. I'm trying to deploy profile listed above. The beta returns similar errors however public iOS16 version returns "internal server error". I found in logs: Cannot obtain ACME certificate: __NSCFError: Desc   : internal server error Domain : NSURLErrorDomain Code   : 500

any ideas?

The step-ca demo server I was using didn't issue a Client Certificate if the Attest is set to false. Below ACME payload is verified to be working in iOS.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadUUID</key>
    <string>70e4b45e3c1e</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadOrganization</key>
    <string>NewComp</string>
    <key>PayloadIdentifier</key>
    <string>4565353a3a84</string>
    <key>PayloadDisplayName</key>
    <string>ACME</string>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadUUID</key>
            <string>f84ef110e39b</string>
            <key>PayloadType</key>
            <string>com.apple.security.acme</string>
            <key>PayloadOrganization</key>
            <string>NewComp</string>
            <key>PayloadIdentifier</key>
            <string>f84ef110e39b</string>
            <key>PayloadDisplayName</key>
            <string>ACME Configuration</string>
            <key>DirectoryURL</key>
            <string>https://acmeserver/acme/acme/directory</string>
            <key>ClientIdentifier</key>
            <string>test</string>
            <key>HardwareBound</key>
            <true/>
            <key>KeyType</key>
            <string>ECSECPrimeRandom</string>
            <key>KeySize</key>
            <integer>384</integer>
            <key>Subject</key>
            <array>
                <array>
                    <array>
                        <string>1.2.840.113549.1.9.1</string>
                        <string>test@test.com</string>
                    </array>
                </array>
            </array>
            <key>SubjectAltName</key>
            <dict>
            </dict>
            <key>KeyUsage</key>
            <integer>5</integer>
            <key>Attest</key>
            <true/>
        </dict>
    </array>
</dict>
</plist>

@Achipl Please see my answer below. Apologies for the delay. Didn't log in for a long time.

@maraino Yes, we would be happy to collaborate on this.

To summarize, the ACME profile only works

i) if the device attestation is set to True.

ii) if there's no Common Name present in the Subject of the CSR. We get this below error if we provide a CN.

CSR names do not match identifiers exactly: CSR names = [test], Order names = []

We would like to understand how the "Client Identifier" will fit into this picture. Apologies for not getting back immediately. Thanks in advance.