AppSuite:PList signing

Sign profile files generated by client-onboarding

Client-onboarding generates profile files for Mac OS and iOS to configure accounts on an Apple device. By default these profile files are unsigned, which leads to a warning. This page describes how to configure signing those profile files.


  • openjdk-7-jre-headless
  • openssl
  • A valid X.509 certificate and private key (both PEM-encoded)

Create keystore

First copy private key and certificate into one file

$ cat example-key.pem example.crt > example.pem

Then export certificate and key in PKCS#12 format

$ openssl pkcs12 -export -in example.pem -out /path/readable/for/open-xchange/example.p12 -name example

This exports private key and certificate in a password-protected keystore.

Verify export into keystore was successful

$ keytool -v -list -storetype pkcs12 -keystore example.p12

Output should look like this:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: example
Creation date: Feb 9, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner:,, O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
Issuer:,, O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
Serial number: e73ec5a60dcdbe36
Valid from: Mon Nov 30 09:36:38 CET 2015 until: Tue Nov 29 09:36:38 CET 2016
Certificate fingerprints:
        MD5:  0D:2E:F0:0B:55:77:3E:5A:76:2C:C6:29:27:F1:61:13
        SHA1: 3B:80:59:43:82:27:91:68:96:C4:D5:20:0B:86:C1:45:32:C0:36:8B
        SHA256: 33:33:68:0B:E3:5B:85:93:DB:95:4D:F0:5A:EE:57:7B:FD:70:E2:63:9A:28:CC:74:0E:C6:B7:03:DC:BE:7D:92
        Signature algorithm name: SHA256withRSA
        Version: 1



Open /opt/open-xchange/etc/ and apply following changes:


Property com.openexchange.client.onboarding.plist.signkey.alias can be overwritten via config-cascade.