How to use self signed certificate at iOS app - iphone

Basically our iOS app needs to communicate with a server which has a self signed certificate for now. In my app, the https is failing with untrusted server certificate which is understandable. The error is like this:
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “my host name here” which could put your confidential information at risk."
So I sent the self signed certificate via email to the iOS device and imported into the profiles and hoping that it would be used as part of root CA for https authentication. To my surprise, it is not and I am still getting the same error. I think that iOS would be default to use root CAs at keychain to validate the server certificate and from what I read, the imported certificate at profiles are at keychain as well. So I could not understand why my imported self signed certificate is not used as root CA.
At this point, I don't really want to trust this self signed certificate via the coding like this iOS authenticate HTTPS with self-signed certificate or In iOS, how to connect to a server using https with self-signed certificate on the server? since this won't work in customer case where they would install our server on their network and they could create their own self signed certificate.
Somehow I didn't really get much information around this from searching. Could anyone shed some lights here and what I need to do to debug this? Thanks very much.
Update on July 15:
More update around this. I also tried to use configuration profile to add a self signed CA to root CA at the iOS device by following Adding Trusted Root Certificate Authorities to iOS , from my testing on 6.0 iPad and iPhone, it doesn't work as well. So not sure if that only works on jail broken device or not. In the end, I end up by allowing user to import a self signed certificate into the app. The app would load such imported certificate for certificate verification similar to this In iOS, how to connect to a server using https with self-signed certificate on the server?. Hope that it would help others in this case.

looking at the first tutorial you linked to you should be able to use that or some more advanced form of that and once you have tested and have it working then all you have to do for a client to create and add their own certificate would be to override/replace the localhost.cer file in the apps folder where the file localhost.cer "or whatever name scheme you use" is located. there are many ways to do this but one could be telling the app a link where the certificate is online for download and once downloaded, then replace.
Any questions I'll try and help further but hopes this helps you in the right direction.

Related

websocket ERR_CERT_AUTHORITY_INVALID

when some players enter our game, they meet this error in all browsers
We have changed the certificate recently. So I check one player's certificate on our game page,
It is the lastest certificate. So what may cause this problem? Should we do something after change the certificate?
EDIT1
Did CDN cache the certificate? After we refresh the CDN, some player can connect to the game immediately.
EDIT2
We found the player's browser has such an option "block unsafe certificate", when the option is enabled, he can't connect to the server and he can connect to server when the option is disabled. We export the intermediate certificate and send it to the player for import. After that, the player can play the game with the option selected.
EDIT3
Finally we found the intermediate certificate is right on the nginx side,but on the server side, the ca is missing. After add it, the websocket could work. And When I asked same question on another forum v2ex,I found a good way to test if the certificate chain is complete. you can visit the site and change the domain and port with your site.
https://cert.catbox.io/api/v1/queryChain?domain=s41001-ad-tanwan.zlgl.17tanwan.com&port=8085
If your server is correct, you will find the server side certificate and the intermediate certificate.If you can't find the intermediate certicate, you need to check your server config.
Your server https://s41001-ad-tanwan.zlgl.17tanwan.com/ provides only the last certificate in the chain, the actual certificate of the server.
This certificate is signed by the intermediate certificate from "RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1" that is valid since 2020-07-16.
If the clients have not updated their browsers/operating systems for some time, they don't have this intermediate certificate, and they report this as an invalid certification authority.
Put the intermediate certificate to the certificate file, and it should fix the problem, since the intermediate certificate is signed by the DigiCert root certificate, that is in the game since 2006. Everyone has it.
You run nginx, right? The ssl_certificate instruction in nginx accepts files with certificate chains. This file should have the server certificate first, then the intermediate certificate.

Unable to complete Windows Phone Certificate enrollment web service process

I am implementing windows phone MDM using windows phone 8 enterprise DM Protocol. I succeed in Discovery phase and Certificate enrolment policy web service. But in Certificate enrolment web service process i am facing problem.
While creating provisioning XML i embedded my domain CA and intermediate certificates. I also added Client certificate which i got request from device. I totally converted into base 64 format and i am sending response to the device(RequestSecuirtyTokenResponse). I am using Fiddler tool for seeing logs .
I am not getting any response from the device.
My doubts are 1) what certificates i need use in provisioning XML . 2) what is client certificate.
I am using valid ssl not self sign certificate. Still i need any certificates
Any advice would be greatly appreciated. Please guide me
finally after one month i succeed enrolment.
We have to use windows phone developer power tool for debugging.
For my questions i am answering as below.
1) We have to use Root certificate(CA) that is valid CA certificate. We need to sign client certificate(fly from device) with server certificate and key certificate. Be careful about finger print.
2) No extra certificates need for enrolment. Above two are mandatory.
I hope above will helps to others.

Apple SSL certificate for push notification x regular SSL certificate

I am implementing a push notification system for one of my apps, so I am following this tutorial and generating a SSL certificate for that.
This app of mine involves also, some exchange of data between the app and the server and I would like it to be SSL protected and I was wondering of getting a SSL certificate from verisign or other company like that.
My question is: is this SSL certificate created for push a regular SSL certificate, so in that can use it also to establish a https connection to the server (and save a couple hundred dollars to order a third party certificate)? I don't know much about SSL certificates, but I hope it can be used for that...
This will be amazing!
Since each certificate is tied to a specific domain, I'm not sure how this would work. There is a concept of wildcard certificates, but I still think they have to be for the same domain.
In your case, it sounds like you will have the Apple push certificate, which validates the connection between your server and Apple's push notification server. The other certificate would be to validate/secure the connection between your iOS app and your server. Both of these are assigned a different domain (gateway.sandbox.push.apple.com vs. yourserver.com).
One option you do have depending on how your iOS app is structured is to use a self-signed certificate between your iOS app and your server. I'm guessing the end-user will not be seeing the certificate anyway. This might be a way to save you money before deciding on a third party certificate.

The site's security certificate is not trusted with openssl

I want to support HTTPS in my web application. Since the certificates from Verisign are costly, I decided to use openssl for generating certificate. Here is the link I referred https://community.jboss.org/wiki/JBossAS7ConfiguringSSLOnJBossWeb
When I tried to access the application in browser I got the error "The site's security certificate is not trusted". Here is the screenshot,
Please let me know how I can solve this error? Is it possible to use openssl in production?
The issue is that your self signed certificate is not 'trusted' by the browser. It does not recognise it as signed by one of the certificate authorities it trust.
You have two options - tell the browser it can trust the certificate or tell the browser that it can trust the entity which issued it (meaning that if you use the same certificate to sign other certificates; that those also get trusted).
See http://googlechrometutorial.com/google-chrome-advanced-settings/Google-chrome-ssl-settings.html for more information. Once you are in 'Manage certificates' you can import your own ones.
Every browser, every users, will have to go through those steps. So that is practical logistical limit on how much 'production' you can run with this.
Do check out the various 'free' certificates; they are very low cost.
MAC SOLUTION: The best way that I've found for manually trusting specific site certificates is to use Safari. See, when you manually trust a certificate in Safari, it requires you to enter your OS X account password. Safari does this because it stores the certificate details in Keychain Access, a system application that manages all vital data you store on your computer.
This is significant because Chrome also communicates with Keychain Access. Once the program has a record of the certificate being trusted by Safari, Chrome will also trust the certificate. You may have to restart the Chrome browser after activating the certificate in Safari to get this to work correctly.
Happy browsing!

HTTPS with self-signed certificate in the app's keychain

I have to connect my iPhone app to a server with a self-signed certificate via HTTPS. I cannot change the certificate or the server.
Since I don't want to accept all self-signed certs, just this one, my idea was to import the cert to the apps keychain (reading the cert from file and adding it to the keychain with SecItemAdd).
If I run the App in the Simulator, install the cert and then search the keychain for it (using SecItemCopyMatching), the cert is found, but the connection still fails with "untrusted server certificate" error.
Is this a problem with the simulator or my app? Do I have to do anything else, for this to work? Or can I assume, that if I add a certificate to the keychain on a real device, the connect to the server will be successfull(I'm using NSURLConnection.sendSynchronousRequest)?
Thanks for any help!
You can use ASIHTTPRequest library. It allows to ignore certificate validation by setting validatesSecureCertificate property of ASIHTTPRequest object to NO.
This should work in the Simulator with some caveats, see the Apple sample code example "AdvancedURLConnections".