ACME

The step-ca demo server I was using didn't issue a Client Certificate if the Attest is set to false. Below ACME payload is verified to be working in iOS. PayloadVersion 1 PayloadUUID 70e4b45e3c1e PayloadType Configuration PayloadOrganization NewComp PayloadIdentifier 4565353a3a84 PayloadDisplayName ACME PayloadRemovalDisallowed PayloadContent PayloadVersion 1 PayloadUUID f84ef110e39b PayloadType com.apple.security.acme PayloadOrganization NewComp PayloadIdentifier f84ef110e39b PayloadDisplayName ACME Configuration DirectoryURL https://acmeserver/acme/acme/directory ClientIdentifier test HardwareBound KeyType ECSECPrimeRandom KeySize 384 Subject 1.2.840.113549.1.9.1 test@test.com SubjectAltName KeyUsage 5 Attest

Your ACME server should follow the ACME RFC 8555 section 7.4.2, which states: The default format of the certificate is application/pem-certificate-chain (see Section 9). Section 9.1 gives more detail on that. You wrote: The certificate is issued by an internal CA and the correct root certificate is in the device's trusted certs. It's not strictly necessary for the device to trust the CA that is issuing the cert since the device is not acting as a relying party. It's just installing the cert that the ACME server provided. It's only once the device uses the resulting identity that a relying party must trust the CA. The device does need to trust the cert that the ACME server uses to authenticate itself, but that's not necessarily the same as trusting the CA that the ACME server uses to issue certs.

Will it be supported (soon)? I'm also testing the ACME certificate payload. Not receiving the attestation payload in the ACME request significantly reduces the utility of the payload. E.g. there's no evidence the key is protected, no assurance this is a known Apple device, etc.

Oy. Going over the UI again... target | app-name | build phases | link binary with libraries - 2 of the 3 packages/modules were missing. After adding them I got a clean build and it runs again. But now I remember how I got here in the first place: the Swift UI preview won't run. I'm signed into my Apple.com account so I have no idea what to do now. == PREVIEW UPDATE ERROR: PotentialCrashError: Update failed RecipeBook may have crashed. Check ~/Library/Logs/DiagnosticReports for any crash logs from your application. ================================== | RemoteHumanReadableError | | LoadingError: failed to load library at path /Users/acm/Library/Containers/com.logipath.home.recipebook.RecipeBook/Data/Document.1.preview-thunk.dylib: Optional(dlopen(/Users/acm/Library/Containers/com.logipath.home.recipebook.RecipeBook/Data/Document.1.preview-thunk.dylib, 0x0002): tried: '/Users/acm/Library/Developer/Xcode/DerivedData/RecipeBook-bbtjcxbeoiafanbqznopflogglmf/Build/Intermediates.noindex/Pre

You're right that the ClientIdentifier can work similarly to the SCEP challenge. ClientIdentifier management systems amount to some kind of coordination between the ACME server and the system that's generating the configuration profile containing an ACME payload (usually the MDM server). There's many ways to arrange it: It could be that the ACME server and MDM server agree on some ClientIdentifier generation scheme based on increasing counters or timestamps, or the MDM server asks the ACME server to issue a ClientIdentifier to embed in the profile, or the MDM server generates them and the ACME server verifies them when a certificate is requested. But this is ultimately weak evidence. If the ClientIdentifier is fumbled at any step of the way, someone else could use it. That's why the only specifically recommended use is as a rate limiting system, so that the ACME server can quickly reject clients that don't have valid ClientIdentifiers. So how does the ACME