I am working on an Apple MDM server, and actually it is working fine. I have a signature problem, that makes the client complain about the certificate, so now I am interested in how others sign their configuration profiles.

I use java, but any kind of help is welcome, since this is not a particular question on how to implement the code in java, but more on how to correctly sign the configuration profile.

This is how we do it currently:

byte[] data = ...
X509Certificate cert = ...
KeyPair keyPair = ...
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();          
gen.addSigner(keyPair.getPrivate(), cert, CMSSignedGenerator.DIGEST_SHA1, new AttributeTable(new Hashtable<DERObjectIdentifier, Attribute>()), null);
CMSSignedData signedData = gen.generate(new CMSProcessableByteArray(data), true, "BC");

response.setContentType("application/x-apple-aspen-config");
response.getOutputStream().write(signedData.getEncoded());

We are using a self signed certificate created with the algorithm SHA1withRSA and the key is with RSA and the size is 2048.

Does anyone see a problem with this way of doing it, or are you just doing it differently which maes it work?

And please feel free to post code in other languages than java – it might still help.