- Convert to python3 script.
- Using latest WWDR intermediate certificate.
- Request a vendor certificate using your apple developer account.
- Create CSR using Keychain Access, and upload it to apple developer website to create a MDM CSR signing certificate.
- Export the key
key.p12from Keychain Access and download the MDM CSR signing certificatemdm_signing.cer. - Convert key
key.p12to plain private keyprivate.keyopenssl pkcs12 -in key.p12 -nocerts -out key.pem && openssl rsa -in key.pem -out private.key - Run script
mdm_vendor_sign.pywith python3python3 mdm_vendor_sign.py --csr mdm.csr --key private.key --mdm mdm_signing.cer --out mdm_signed.csr - Upload
mdm_signed.csrto identity.apple.com/pushcert
Create a certificate signing request as a "vendor" of Apple's MDM push notification service
This script produces the special encoded plist that is uplaoded to the [Apple Push Certificate Portal] (https://identity.apple.com/pushcert/) for creating certificates to work with Apple's Mobile Device Management (MDM) system.
Usually, this certificate is obtained by uploading a certificate request (CSR) to your MDM vendor who then signs the certificate using their MDM Signing Certificate. If you are part of the iOS Developer Enterprise Program, you can request a vendor certificate and do this youself.
This script is what an MDM vendor would use to sign a user-submitted CSR. That user isn't going to submit their private key to the vendor, obviously.
To get an MDM Vendor Certificate from Apple, you need to create a CSR. You need a private key to create the CSR. That private key is the Vendor's private key (mdm_vendor_private.key below). The --mdm argument should point to the MDM certificate that Apple has ussed you.
Note that they don't enable the MDM Vendor program by default. The registered Team Agent needs to email devprograms@apple.com and say something like "I am writing to request a MDM Vendor signing certificate for Acme, Inc. I am listed as the Team Agent for our Enterprise Developer Program account."
Once they accept your request, you should see the following option when creating a new certificate on the developer site:
This script is essentially a shortcut for a lot of the stuff in this StackOverflow Question: Apple MDM Vendor CSR Signing. For more details on MDM, I recommend reading this document by the Intrepidus Group.
Run it something like this
python mdm_vendor_sign.py --csr user_submitted_CSR.csr --key mdm_vendor_private.key --mdm mdm_certifiate_from_apple.cer
Use -h to list the options, as such
$ python mdm_vendor_sign.py -h
usage: mdm_vendor_sign.py [-h] --key KEY --csr CSR --mdm MDM [--out OUT]
This utility will create a properly encoded certifiate signing request that
you can upload to identity.apple.com/pushcert
optional arguments:
-h, --help show this help message and exit
--key KEY Private key
--csr CSR Certificate signing request
--mdm MDM MDM vendor certificate
--out OUT Output filename
It has a few dependencies that you might need to pip install...