Generating your CSR for Apple DEP

When you first begin User Acceptance Testing (UAT) you will need to ask your IT department to generate a CSR on the Hyperspace Server to submit to Apple.  Apple will provide your IT department with a UAT certificate that is placed on the server.

When you first begin enrolling devices for Apple DEP for live production (after you have been certified) you will need to ask your IT department to generate a CSR on the Hyperspace Server to submit to Apple.  Apple will provide your IT department with a Production certificate that is placed on the server.

You will need to have a client certificate installed on your servers in order to communicate with Apple's APIs. Apple Certificates expire every 2 years. Approximately 2 months prior to expiration, Apple will send a reminder to the contact you have on file to create a new certificate.

Every 2 years, your IT department will need to submit a new CSR to Apple in order to get a new certificate. 

Your IT department will need to create a new CSR and a new private key.  Do not use the same private key that you used to create the original certificate.

How do I create the CSR?

PLEASE READ THE RED NOTES CAREFULLY

You want to generate a Private Key and a CSR from the web server where Hyperspace will be installed. Apple will send back a SSL certificate that is proprietary to Apple. This certificate is placed in a folder on your server. It is not a certificate that is intended to secure the domain (https). You can install your own SSL certificate to secure the Hyperspace Web Application address.

Please be sure to remember your passphrase when generating your CSR. That is added to the Hyperspace settings.

Most clients typically store the private key and UAT certificate here: /etc/apache2/ssl/, but any location that is readable by apache will suffice.

1. Using OpenSSL (OSX):

The command line openssl application can be used to generate the public/private key pair and a CSR.

1.1 Key Pair GenerationCommand: openssl genrsa -aes256 -out privatekey.pem 2048

When running this command, you will be prompted to enter the passphrase for the private key.

This is your secure passphrase and should not be shared with anyone. This passphrase can be anything (like a password). Be sure to write this down. You will need it later to populate into the Hyperspace settings.

1.2 CSR Generation

Command: openssl req -new -sha256 -key privatekey.pem -out certreq.csr
Once you enter the command, please follow the instructions on the prompt and enter the requested details.

One of the fields prompted is "Common Name (e.g. server FQDN or YOUR name)"
The FQDN is a very important field. Please be sure to provide the following value for this field:

For the UAT CSR : GRX-<10DigitsoldTo>.ACC1914.Test.AppleCare

Be sure to note the placement of dashes and periods.

For Production CSR: GRX-<10DigitsoldTo>.ACC1914.Prod.AppleCare 

Be sure to note the placement of dashes and periods.

Here is an example of how your common name should look with your own soldTo ID (Customer ID) in the common name. Do not use 0000098465.

GRX-0000098765.ACC1914.Test.AppleCare for UAT testing.
GRX-0000098765.ACC1914.Prod.AppleCare for Production use.

The leading zeros are important and the soldTo should always be 10 digits.

Please note the following during CSR generation:

No part of the CSR Organization should contain any reference to Apple. When answering questions related to org name, unit, etc; please enter your own details.

The Private Key and CSR file can be generated in any computer. There are no restrictions that the CSR should be generated only from the Hyperspace web server.

It is not mandatory that the IP used during CSR generation be the same as the whitelisted IP.

The CSR can be created with DES or AES. It is up to you to weigh the risk of protecting your private key with DES instead of AES, as DES is less secure.

Once the CSR step has been completed a file named certreq.csr will be created in the folder from where you ran these commands.

Please email the CSR to Apple in order to receive a client certificate in return.

1.3 PKCS#12 File Creation (Optional step) 
Command: openssl pkcs12 -inkey privatekey.pem -in cert.pem -aes256 -export -out cert.p12 
cert.pem is the certificate that you received from Apple 

1.4 Extract Private Key from a PKCS#12 File (Optional step) 
This command can be used to extract a private key from a PKCS#12 file from step 1.3. 
Command: openssl pkcs12 -aes256 -nocerts -in cert.p12 -out privatekey.pem

Once Apple sends the certificate back, you will need to work with your system administrator to install this certificate in your server in such a way that the certificate is automatically attached to each request sent to Apple. This is done by adding the following to your Hyperspace settings:

1. Path and filename to the certificate

2. Path and filename to the private key

3. Passphrase

IMPORTANT 1: Do not modify the filename of the certificate that Apple sends you.

IMPORTANT 2: Make sure the cert and private key are readable by Apache.

 

Was this article helpful?
0 out of 0 found this helpful