Config::Apple::Profile::Payload::Certificate - Base class for the four different Certificate payload types.
This class partially implements the Certificate payload. This payload is used to send certificates, and certificate-key pairs, to a device.
This payload is typically used early in the provisioning process, in order to load a non-standard certificate authority (or intermediate certificate) onto the device. In addition, this payload can be used to load a user's private key and public certificate onto the phone, so that it can be used for email (using S/MIME) and web (client certificate) authentication.
This payload may be used to hold root certificates or intermediate certificates. The OS will examine the certificate when you try to install it, in order to determine what type of certificate is being installed.
NOTE: Installing a certificate does not automatically make it trusted! In order for the OS to trust a certificate, the entire chain (from a root cert down) must be present. Eveb if the root already exists on the device, you may still need to install an intermediate certificate.
NOTE: As per http://support.apple.com/kb/TS4133, starting with iOS 5, if a certificate chain includes a cert that uses MD5 hashing, then that cert, along with every cert below it, will be untrusted. You should only ever use certificates with SHA signatures, and preferably SHA-256 or better.
NOTE: Typically, you will not use this module directly! Apple defines four different types of certificate payloads, each with a different identifier. Please use one of the Config::Apple::Profile::Payload::Certificate:: subclasses.
The following instance methods are provided by this class.
$handle is an open, readable file handle. $type is 'DER' or 'PEM'.
$handle
$type
If OpenSSL was found and validated during installation, then see if OpenSSL can read the $type-type certificate contained in $handle.
We rely on $ACP_OPENSSL_PATH from Config::Apple::Profile::Config to tell us if OpenSSL is installed.
$ACP_OPENSSL_PATH
An exception will be thrown if a problem occurs trying to run OpenSSL. If OpenSSL happens to exit with a non-zero exit code, that will be taken as a sign that the certificate provided is invalid.
All of the payload keys defined in Config::Apple::Profile::Payload::Common are used by this payload.
This payload has the following additional keys:
PayloadCertificateFileName
Optional
The name of the certificate file. As far as the author knows, this isn't really used for anything, but you never know!
PayloadContent
This is where the actual certificate goes. The contents may be text (as in a PEM-format certificate), or binary (as in a DER-format certificate).
As a reminder, this key takes binary data, even if that data happens to be text. You do not need to worry about the encoding.
WARNING: iOS does not trust certificates that use MD5 as the signature method. Such certificates can be installed, but they will not be trusted, and will cause the user to see warnings.
WARNING: Certificates with 1024-bit RSA keys are rapidly becoming untrusted by browsers. Such certificates can be installed, but they are quickly going the way of MD5 certificates (see the warning above).
WARNING: Certificates with SHA-1 signatures are going to start losing trust in many browsers starting in 2016. Plan ahead by minting new certificates with SHA-256 signatures!
Refer to Config::Apple::Profile for acknowledgements.
A. Karl Kornel, <karl at kornel.us>
<karl at kornel.us>
Copyright © 2014 A. Karl Kornel.
This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.
See http://dev.perl.org/licenses/ for more information.
To install Config::Apple::Profile, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Config::Apple::Profile
CPAN shell
perl -MCPAN -e shell install Config::Apple::Profile
For more information on module installation, please visit the detailed CPAN module installation guide.