iOS mobileconfig walkarounds

i’ve searched quite few sites for any intel on configuring iPhone over the air with mobileconfig files, and stuck at some stage… :/
here is what I’ve found:
but this part is beyond my comprehension

Using openssl smime and the P12 you got from Verisign, sign the
mobileconfig file including the complete CA chain and put it onto
a public HTTP server

  • Updating Configuration Profile installed in iOS device in MDM
  • iOS distribution certificate, sign by another developer
  • If I revoke iOS Enterprise will the app still work?
  • Code Sign error, How to switch an Xcode Project over to another Mac?
  • Embedded binary is not signed with the same certificate as the parent app:
  • Wireless accessory configuration in iOS: EAWiFiUnconfiguredAccessoryBrowser will detect unconfigured accessories only once
  • If I understood correctly what I have to do is:
    1)obtain a certificate from Verisign (got it based on key.pem and request.pem generated from openssl)
    2)create .mobileconfig file in iPhone Configuration Utility (do I have to have all settings in it filled or it’s enough to just have this file?)
    3) and… what is this CA chain?

    also I have found stuff in here:
    Here I’m also stuck with this chain stuff… does anybody have/know, preferably step-by-step solution for noobs like me? 😉 (most wanted is obviously solution for creating whole certificate stuff, because later is pretty straigh-forward tutorial)

    Solutions Collect From Internet About “iOS mobileconfig walkarounds”

    A basic rundown of CA chains: Say you have a security certificate claiming that you are But no one is going to believe you. So you get that signed by someone that people do trust (Verisign in your example above). Now, I believe that you are because Verisign is vouching for you by signing your certificate.

    Usually Verisign will not sign it with their main “root” certificate. Instead, they will sign it with a second-level CA, and that second-level CA is signed by the root certificate which I trust.

    That’s a certificate chain: You (, are signed by a second-level CA, which is signed by a root CA.

    So, when giving me your certificate, you also need to provide the whole chain so I can validate it all the way to the top and see if I actually trust you.

    So, the following command takes your .mobileconfig file and signs it with your certificate. And I will trust your signature, so long as you provide the whole chain.

    * company.mobileconfig <– your .mobileconfig file you made
    * signed.mobileconfig <– the signed file that gets created after the command is done
    * server.crt <– your certificate which you got from a trusted CA
    * server.key <– your private key file which goes with the certificate above (keep safe)
    * cert-chain.crt <– whatever certificates are in the chain up to the top level CA that people trust

    The command:

    openssl smime -sign -in company.mobileconfig -out signed.mobileconfig
        -signer server.crt -inkey server.key -certfile cert-chain.crt
        -outform der -nodetach