The identity certificate for com.xyz.profile.mdm could not be found?

Question

I've bumped into this issue while trying to install a MDM profile onto an ipad as the final part of OTA enrollment.

NSError:
Desc   : The identity certificate for com.xyz.profile.mdm1 could not be found.
US Desc: The identity certificate for com.xyz.profile.mdm1 could not be found.
Domain : MCMDMErrorDomain
Code   : 12005
Type   : MCFatalError
Params : (
"com.xyz.profile.mdm1"
)

Anyone have idea what piece of information i'm missing? This is when I try to install a MDM payload onto the IOS device after its completed the SCEP registration.

this is the payload I'm sending

<dict>
  <key>AccessRights</key>
  <integer>2047</integer>
  <key>CheckOutWhenRemoved</key>
  <true/>
  <key>IdentityCertificateUUID</key>
  <string>00000000-0000-0000-0000-000000000000</string>
  <key>PayloadDescription</key>
  <string>Configures MobileDeviceManagement.</string>
  <key>PayloadIdentifier</key>
  <string>com.xyz.profile.mdm</string>
  <key>PayloadOrganization</key>
  <string></string>
  <key>PayloadType</key>
  <string>com.apple.mdm</string>
  <key>PayloadUUID</key>
  <string>3DF45C81-F1C4-4427-A61D-0581D9303214</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>ServerURL</key>
  <string>https://mymachine:2345/profile</string>
  <key>SignMessage</key>
  <false/>
  <key>Topic</key>
  <string>com.apple.mgmt.xyz</string>
  <key>UseDevelopmentAPNS</key>
  <false/>
</dict>

Answer 1

You have to send an identity certificate with the payload for the device to accept the profile. The PayloadUUID of this certificate needs to be set as the value of the IdentityCertificateUUID in the MDM dict.

Try creating a profile with the iPCU to check the format of the Credential block.

Answer 2

If you are using self-signed ssl then,While generating self-signed ssl certificate in server side,generate identity.p12 certificate and this certificate you need to use in identity section of IPCU.

These few lines you can use to generate the idendtity.p12

//Creating the device Identity key and certificate request

openssl genrsa 2048 > identity.key
openssl req -new -key identity.key -out identity.csr


//Signing the identity key with the CA. 
//Give it a passphrase. You'll need to include that in the IPCU profile.

openssl x509 -req -days 365 -in identity.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out identity.crt

openssl pkcs12 -export -out identity.p12 -inkey identity.key -in identity.crt -certfile cacert.crt