Skip to content

Instantly share code, notes, and snippets.

@jedda
Last active January 9, 2024 06:20
Show Gist options
  • Save jedda/1f5c631f39b500fe2a769a228ef22572 to your computer and use it in GitHub Desktop.
Save jedda/1f5c631f39b500fe2a769a228ef22572 to your computer and use it in GitHub Desktop.
An example of an ACME Certificate Profile & payload (com.apple.security.acme) that can be used on iOS (16 and above) and macOS (14 and above) to request an ACME certificate with Managed Device Attestation from Apple.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Attest</key>
<true/>
<!--
ClientIdentifier must match one of the permanent identifiers returned by Apple as part of the
device attestation (Serial Number, UDID)
-->
<key>ClientIdentifier</key>
<string>$SERIALNUMBER</string>
<!--
Update the DirectoryURL with the base URL for your step-ca instance and name of your ACME provisioner.
i.e: https://ca.example.com/acme/provisioner/directory
-->
<key>DirectoryURL</key>
<string>[step-ca base url]/acme/[step-ca provisioner name]/directory</string>
<key>HardwareBound</key>
<true/>
<key>KeySize</key>
<integer>384</integer>
<key>KeyType</key>
<string>ECSECPrimeRandom</string>
<key>PayloadDisplayName</key>
<string>ACME Certificate</string>
<key>PayloadIdentifier</key>
<string>C535AD45-DA61-4E31-A93F-3E6EC6958CB6</string>
<key>PayloadType</key>
<string>com.apple.security.acme</string>
<key>PayloadUUID</key>
<string>C535AD45-DA61-4E31-A93F-3E6EC6958CB6</string>
<key>PayloadVersion</key>
<integer>1</integer>
<!--
Your certificate Subject common name (CN) has to match the permanent identifier supplied in ClientIdentifier above.
-->
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>$SERIALNUMBER</string>
</array>
</array>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Example ACME Managed Device Attestation Profile</string>
<key>PayloadIdentifier</key>
<string>22F22D92-933F-4B7C-9D9E-B82D4A2D6768</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>22F22D92-933F-4B7C-9D9E-B82D4A2D6768</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment