Over The Air (OTA) profile delivery: certificate enrollment

Hi,


We have implemented Over The Air (OTA) profile delivery with 3 phases :

Phase 1 : Authentication

Phase 2 : Certificate enrollment. A new certificate is sent to device and replaces Apple certificate

Phase 3 : Device configuration. Device response is signed with the new certificate and server responds with a config file.


The first delivery works fine.

We try to deliver a second configuration profile with the same device : iPhone 6 plus iOS 8.1.1

In reading Apple documentation, (https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html#//apple_ref/doc/uid/TP40009505-CH3-SW1)

For the second delivery, "if the device has been registered previously and is merely requesting a new configuration, it signs the request with the certificate previously provided by the CA" (Apple documentation).

But for the second delivery, device response is still signed with Apple certificate and not with the certificate sent in the first Phase 2.

Do you know why the device still uses the Apple certificate and not the certificate previously got in Phase 2 for a new configuration ?


Thanks for your help.

Replies

Hi feguyomarch


Check out the companion project provided by Apple itself, in its over-the-air profile delivery documentation. The signature is actually correct according to documentation. That can help you debug why the problem happens for you.

By the way, I am running into problems with updating the profile over the air. According to document, the profile should actually update automatically on the profile expiry date-time. But this is not happening. I have to go manually update from the settings. Have you tried this or faced such a problem?