mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
d5e4a9a66f
This PR provides the tooling that fleetdm.com will use to sign MDM Push CSRs. This was tested against the output of #8812, and the resulting requests were validated to be accepted by Apple. Co-authored-by: Roberto Dip <me@roperzh.com> Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
28 lines
986 B
Markdown
28 lines
986 B
Markdown
# MDM Push CSR generation tool
|
|
|
|
### Build
|
|
|
|
Build like any other go program:
|
|
|
|
``` sh
|
|
go build -o mdm-gen-cert .
|
|
```
|
|
|
|
### Usage
|
|
|
|
The following environment variables must be configured:
|
|
|
|
`VENDOR_CERT_PEM` - Fleet's MDM Vendor certificate in PEM format.
|
|
`VENDOR_KEY_PEM` - Fleet's MDM Vendor private key in PEM format.
|
|
`VENDOR_KEY_PASSPHRASE` - Passphrase for the MDM Vendor private key.
|
|
`CSR_BASE64` - Base64 encoded CSR submitted from the Fleet server or `fleetctl` on behalf of the user. (Note: this is
|
|
accepted as an environment variable to mitigate against command injection attacks from untrusted user input.)
|
|
|
|
The program outputs the email and org from the signing request, and the signed request as JSON. For example:
|
|
|
|
```json
|
|
{"email":"fleetuser@example.com","org":"ExampleOrg","request":"PD94bWw..."}
|
|
```
|
|
|
|
The email should be validated against the email denylist, and then the request contents should be
|
|
sent to that email address as an attachment (eg. `apple-apns-request.txt`).
|