$CURA_VERSION
is the current version of Cura that's installed.$USER
is your user's home directory, e.g. /Users/user
.$CURA_VERSION
is the current version of Cura that's installed.$HOME
is your user's home directory, e.g. /home/user
.$CURA_VERSION
is the current version of Cura that's installed.init
, loads the HTTP server’s certificate and private SSL key. These keys and certificates are stored on disk for reuse together with the serial number of the last issued certificate. This function is shown in Listing 2-1.8443
so it does not have to run as root. The :DocumentRoot
value should contain the path of an empty directory inside the profile service directory.SSLCertificate
and SSLPrivateKey
to point to your actual SSL certificate and key that you obtained in Obtaining an SSL Certificate./
). A handler for this page is shown in Listing 2-2./
URL/CA
in the welcome page provides a means for the user to add the custom certificate authority’s root certificate to the device’s trusted anchors list. This is required for the SCEP stage of the enrollment process./CA
URL/enroll
link on the welcome page./enroll
URLapple
as the user name and password over a connection authenticated with HTTP basic authentication. In a production server environment, you should instead tie this code into a directory service or some other account system.application/x-apple-aspen-config
, so Safari on iOS treats the response as a configuration profile.profile_service_payload
function (Profile Service Payload) produces a special configuration that tells the phone to enroll itself in the profile service. The literal string 'signed-auth-token'
should be replaced with an authorization token from the authentication service that verified the user’s credentials.OpenSSL::PKCS7.sign
and sends the signed profile to the device.profile_service_payload(req, 'signed-auth-token')
from the /enroll
handler (Listing 2-4).profile_service_payload
functiongeneral_payload
, which sets the version and organization (these values don’t change on a given server) and returns a template payload that provides a UUID for the profile.Challenge
attribute.Challenge
value in its request, the device also includes this value along with the requested device attributes. Finally, to prove it is an iOS-based device, the device signs this identification with its device certificate. This response is sent to the handler for the /profile
URL. 'Profile Service'
./profile
URL is called twice—once to send the device authentication request before the device is allowed to enroll using SCEP, then again after the SCEP step to deliver the final profile to the device./profile
handler is divided into smaller pieces. The first piece of this handler is shown in Listing 2-6./profile
URL, part 1 of 7/profile
URL, part 2 of 7/profile
URL, part 3 of 7/profile
URL, part 4 of 7=begin
and =end
. It shows how you can restrict issuance of profiles to a single device (by its unique device ID, or UDID) and verify that the Challenge
is the same as the Challenge
value issued previously./profile
URL, part 5 of 7encryption_cert_payload
./profile
URL, part 6 of 7/profile
URL, part 7 of 7/profile
URL associated with this handler a second time to obtain the final profile./profile
handler and provides explanation.Challenge
information can be used to identify the user requesting the profile, and the code can generate a profile specific to that user.client_cert_configuration_payload
(Listing A-1) and configuration_payload
(Configuration Profile Payload)./profile
URL, part 3 of 7 (revisited)configuration_payload
) resembles the profile service payload described in Profile Service Payload. The only difference is in the payload its carries.encryption_cert_payload
functionscep_cert_payload
function is described in SCEP Certificate Payload.scep_cert_payload
function suggests, the function shown in Listing 2-15 produces an SCEP payload that gives the device the information it needs to enroll a certificate. scep_cert_payload
functioncom.apple.security.scep
indicates an SCEP payload and the content specifies the parameters. http://scep-server/cgi-bin/pkiclient.exe
) and Windows SCEP servers (http://scep-server/certsrv/mscep/mscep.dll
). Name
value that becomes part of the final URL. In the case of Windows, this value needs to be set, although any value will do.Challenge
to encode the identity of the requester.