configuration - iOS mobileconfig walkarounds

Question

i've searched quite few sites for any intel on configuring iPhone over the air with mobileconfig files, and stuck at some stage... :/ here is what I've found: http://cryptopath.wordpress.com/2010/01/29/iphone-certificate-flaws/ but this part is beyond my comprehension

Using openssl smime and the P12 you got from Verisign, sign the mobileconfig file including the complete CA chain and put it onto a public HTTP server

If I understood correctly what I have to do is:
1)obtain a certificate from Verisign (got it based on key.pem and request.pem generated from openssl)
2)create .mobileconfig file in iPhone Configuration Utility (do I have to have all settings in it filled or it's enough to just have this file?)
3) and... what is this CA chain?

also I have found stuff in here: http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html
Here I'm also stuck with this chain stuff... does anybody have/know, preferably step-by-step solution for noobs like me? ;) (most wanted is obviously solution for creating whole certificate stuff, because later is pretty straigh-forward tutorial)

Answer 1

A basic rundown of CA chains: Say you have a security certificate claiming that you are example.com. But no one is going to believe you. So you get that signed by someone that people do trust (Verisign in your example above). Now, I believe that you are example.com because Verisign is vouching for you by signing your certificate.

Usually Verisign will not sign it with their main "root" certificate. Instead, they will sign it with a second-level CA, and that second-level CA is signed by the root certificate which I trust.

That's a certificate chain: You (example.com), are signed by a second-level CA, which is signed by a root CA.

So, when giving me your certificate, you also need to provide the whole chain so I can validate it all the way to the top and see if I actually trust you.

So, the following command takes your .mobileconfig file and signs it with your certificate. And I will trust your signature, so long as you provide the whole chain.

Files:
* company.mobileconfig <-- your .mobileconfig file you made
* signed.mobileconfig <-- the signed file that gets created after the command is done
* server.crt <-- your certificate which you got from a trusted CA
* server.key <-- your private key file which goes with the certificate above (keep safe)
* cert-chain.crt <-- whatever certificates are in the chain up to the top level CA that people trust

The command:

openssl smime -sign -in company.mobileconfig -out signed.mobileconfig
    -signer server.crt -inkey server.key -certfile cert-chain.crt
    -outform der -nodetach