[Flutter] How to install SCEP-obtained certificates using Flutter?

We want to write a Flutter app to deliver certificates to the employee devices.

We managed to build a SCEP-compatible API on the backend of our app. What it does is it essentialy receives a CSR and returns a PEM certificate based on the request. Making CSR requires to generate a key pair, and the main caveat is that the private key is never accesible by user. Main certificate use-cases are the S/MIME (Mail app on iOS and anything on Android), IKEv2 authorization for OpenVPN (don't believe that's possible on iOS) and Wi-Fi.

So our next problem is the delivery to iOS, Android, Windows and macOS.

Desktop solutions are pretty easy in that regard, so we skip that.

Apple MDM allows to use a SCEP payload to install it as a provisioning profile from code without requiring the private key the CSR was signed with. That way we can install both CA and client certificates pretty easily.

Android, on the other hand, always requires a private key to be bundled along with client certificate and CA certificate. This requires bundling everything in PKCS12 container and setting up a hard-coded password (or user-specified password, which essentially will be inputted twice). Also, this breaks the "no-private-key-is-available-for-end-user" rule.

We tried the AMAPI only to discover that it does not support the certificate distribution on demand (using SCEP) nor including the certificates in provisioning profile or policy.

Is that really the best solution for certificate distribution using SCEP server?

Continue reading...