4

I have this setup:

  1. A tomcat server configured to use ssl client certificate authentication (clientAuth=true)
  2. An ipad with a valid client certificate installed on it (emailed as a .p12 file and visible under profiles)

When browsing via ios safari, the ipad uses the client cert and authenticates against the server fine.

However in code, using a NSURLConnection, it won't connect. Debugging on the server shows the client isnt sending and cert at all.

On the client I get an error like this:

Request(https://192.168.1.5:8443/device/security/policy>, 0, 0)) didFailWithError:Error   Domain=NSURLErrorDomain Code=-1205 "The server “192.168.1.5” did not accept the certificate." UserInfo=0xe2eae30
{NSErrorFailingURLStringKey=https://192.168.1.5:8443/device/security/policy>, NSErrorFailingURLKey=https://192.168.1.5:8443/device/security/policy>, NSLocalizedDescription=The server “192.168.1.5” did not accept the certificate.,
NSUnderlyingError=0xe2eb250 "The server “192.168.1.5” did not accept the certificate.",  NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0xe6ab010>}

I understand I can implement the delegate method for the challenge for the NSURLAuthenticationMethodClientCertificate protection space, but if I do that I dont have the certificate to send, its installed on the device and that isnt accessible via code (is it??) I tried calling [challenge.sender performDefaultHandlingForAuthenticationChallenge:challenge] but that appeared to have no effect.

I was expecting that NSURLConnection would behave as per safari and access the installed certificate, but it appears not. I dont want to have to install the certificate into my app somehow - thats what the built in certificate management is for!

Or am I missing something? Any help appreciated.

Jon N
  • 1,439
  • 1
  • 18
  • 29
  • have a look at this http://vanjakom.wordpress.com/2011/10/23/https-client-for-ios/ – oiledCode Feb 23 '13 at 11:27
  • Good post, but what I'm trying to do is having to avoid loading the certificate manually out of the app bundle. Instead, I would like to use a certificate that's installed on the device at the OS level – Jon N Feb 24 '13 at 21:08
  • Did you find a solution to this problem? I am currently investigating this exact same scenario. – Yanik Jul 09 '13 at 10:43
  • 1
    Nope, fundamentally you can't get at globally installed certs from within an app in the current version of iOS. Safari has special rights. – Jon N Jul 10 '13 at 11:16

1 Answers1

1

Fundamentally you can't get at globally installed certificates from within an app in iOS (as of iOS 8), and the operating system won't help you out by sending them with an NSURLConnection. Safari has special rights to access the certificates. So the only way to use them from within an app is to install them into the app somehow, which makes the whole thing difficult.

Jon N
  • 1,439
  • 1
  • 18
  • 29