feat: Add generate-mobileconfig.py script for creating Apple mobileconfig profiles

README.md

@@ -95,6 +95,91 @@ simple-ca make-cert [--ca-dir DIR] [--days N] [--issuing-ca PREFIX] CERT_DIR SUB
 simple-ca make-pfx  --ca-dir DIR [--issuing-ca PREFIX] --path CERT_PATH [--password PASS]
 ```
 
+## generate-mobileconfig.py
+
+`generate-mobileconfig.py` generates Apple `.mobileconfig` profiles for distributing CA certificates and optionally client certificates and IKEv2 VPN configuration to Apple devices (macOS / iOS / iPadOS).
+
+### Modes
+
+| Arguments supplied | Profile content |
+|---|---|
+| `--ca-cert` only | CA trust anchor |
+| `--ca-cert` + `--client-cert` + `--client-key` | CA trust anchor + PKCS#12 client certificate |
+| All of the above + `--remote-address` + `--match-domains` | CA + client cert + IKEv2 VPN |
+
+### Usage
+
+```
+generate-mobileconfig.py --ca-cert CA.pem --output profile.mobileconfig \
+    --identifier com.example.vpn \
+    [--client-cert CLIENT.pem --client-key CLIENT_KEY.pem] \
+    [--remote-address vpn.example.com --match-domains example.com] \
+    [--profile-name "My VPN"] [--ca-name "My CA"] \
+    [--client-name "My Cert"] [--vpn-name "My VPN Connection"] \
+    [--openssl /usr/bin/openssl]
+```
+
+#### Required arguments
+
+- `--ca-cert PEM` — CA certificate PEM file to embed as a trust anchor.
+- `--output FILE` — Output `.mobileconfig` path.
+- `--identifier ID` — Reverse-DNS profile identifier (e.g. `com.example.vpn`). Derived automatically from `--remote-address` when a VPN profile is generated.
+
+#### Client certificate (optional)
+
+- `--client-cert PEM` — Client certificate PEM file.
+- `--client-key PEM` — Client private key PEM file (required together with `--client-cert`).
+
+#### VPN (requires client certificate)
+
+- `--remote-address FQDN` — VPN gateway hostname.
+- `--match-domains DOMAIN [DOMAIN …]` — Split-DNS domains routed through the VPN.
+
+#### Display name overrides (all optional)
+
+- `--profile-name NAME` — Profile display name (default: `VPN` or `Certificates`).
+- `--ca-name NAME` — CA payload display name (default: certificate CN).
+- `--client-name NAME` — Client cert payload display name (default: certificate CN).
+- `--vpn-name NAME` — VPN connection display name (default: profile name).
+
+#### Other
+
+- `--openssl PATH` — Path to the `openssl` binary (default: `/usr/bin/openssl`).
+
+### Examples
+
+**CA trust profile only:**
+
+```bash
+python3 generate-mobileconfig.py \
+    --ca-cert ca/ca_cert.pem \
+    --identifier com.example.ca \
+    --output ca-trust.mobileconfig
+```
+
+**CA + client certificate:**
+
+```bash
+python3 generate-mobileconfig.py \
+    --ca-cert ca/ca_cert.pem \
+    --client-cert certs/alice_cert.pem \
+    --client-key  certs/alice_key.pem \
+    --identifier com.example.certs \
+    --output alice.mobileconfig
+```
+
+**Full IKEv2 VPN profile:**
+
+```bash
+python3 generate-mobileconfig.py \
+    --ca-cert ca/ca_cert.pem \
+    --client-cert certs/alice_cert.pem \
+    --client-key  certs/alice_key.pem \
+    --remote-address vpn.example.com \
+    --match-domains example.com internal.example.com \
+    --output alice-vpn.mobileconfig
+```
+
 ## Self Signed Ceritifcate
 
 The following command will create a *full-featured* self-signed certificate that can act as CA certificate and be used for client and server authentication: