I've been using self-signed certificates in the intranet of my small office and after upgrading to iOS 11, the certificates does not work for me. (Chrome and other browsers are happy with them.)
I've got my self-signed root ca file and converted it to .der file, and installed it onto my iPad via web.
But unlike this Answer, I can't see my root ca certificate on the Settings > General > About > Certificate Trust settings.
Is there any limitations for the certificates to be trusted in iOS? Both my iPhone and iPad has this problem. Is there anything wrong in my procedure?
I used these codes to make my ca certificate.
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
openssl x509 -in rootCA.crt -out cert.der -outform DER
If you are not seeing the certificate under General->About->Certificate Trust Settings, then you probably do not have the ROOT CA installed. Very important -- needs to be a ROOT CA, not an intermediary CA.
This is very easy to determine by using openssl:
$ openssl s_client -showcerts -connect myserver.com:443 </dev/null
This will show you output for certificates in the cert chain, something like this:
Certificate chain
0 s:/C=US/ST=California/L=SAN FRANCISCO/O=mycompany.com, inc./OU=InfraSec/CN=myserver.com
i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal CA 1A
-----BEGIN CERTIFICATE-----
....encoded cert in PEM format....
-----END CERTIFICATE-----
And it should show a chain of certs all the way to the ROOT CA. Keep following the output, paying attention to the "i:" value which indicates the ISSUER. Finally, you should get to the ROOT CA and can just copy-paste it to a .pem file (be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines!). Now you will be able to install it on your simulator by dragging-dropping onto simulator window.
If your ROOT CA is not listed, then find the top level in the output, then export it from Keychain Access.app. This assumes you are able to hit the website via Safari/Chrome, so you will have had to manually trust the website first.
My 'openssl s_client' output ended with the last cert shown with an issuer like this:
i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal Root CA 1
I am able to hit the target website successfully via Safari/Chrome, so that means Keychain has it stored and trusts it. So, I just launched Keychain Access.app via Spotlight and typed "mycompany" in the search bar. It showed my certificate (Kind=certificate) for "mycompany.com Internal Root CA 1". I just right clicked and selected "Export" and saved it to a .cer file.
Voila! Now I can drag-n-drop it onto my simulator and the ROOT CA will show up under General->About... and I can enable it.
If, for some reason you need to convert PEM file to DER/CER, just use this command:
$ openssl x509 -in myfile.pem -out myfile.der -outform DER
Hope this helps, I've had to do this dozens of times and figured it's about time I jot down some notes so I don't keep forgetting.
Apparently ios does not like certificates without Common Name, so just regenerate it with non empty CN and it will appear in root certificates list
Just use following command then airdrop or send yourself that cert via email.
Make sure to answer all the questions when you see prompts
openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer
I had same issue until I used this command. I don't know why this happens but the command works.
Cheers!
Related
I did a protection for my Web Service calls with Man-in-the-Middle Attacks in iOS with SSL Pinning tuto
I would like to renew my certificate on the iOS each two month because this the time my server has to renew his certificate.
For now I do it manually by taping on my mac command line:
openssl s_client -connect <server>:443 </dev/nullsl x509 -outform DER -out <name.der> with OpenSSL under Swift ?
The problem is that I have to send to my customer a new app for install, with a new certificate in the bundle each month.
For this, I would like to use the OpenSSL GitHub for iOS to generate it locally on the ipad/iphone.
I cannot find the way to use it, do you know what is the code I must write to execute that command in Swift by using this github?
Thanks in advance.
I am trying to follow the instructions for creating DEP Server Tokens in Apple's Device Enrollment Program manual ( https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/4-Profile_Management/ProfileManagement.html ) , but I don't really know how to "Generate a public/private key pair in PEM format for the MDM server"
I have a certificate from a trusted certificate authority, but how do I create the certificates from that ?
The idea of a certificate for DEP is that Apple don't want to provide you the DEP token over SSL (unlike VPP token).
To retrieve that, they ask that you provide a PEM formatted public key via their portal (this is basically any openssl self-signed cert, like so:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
when uploading, use cert.pem file)
Then, when they return the result, use the private key to decrypt the CMS (PKCS7 Envelope):
openssl smime -decrypt -inform pem -in fileFromApple.p7 -inkey key.pem
Note that we use file from Apple and the key that we generated in the first command.
Note: it has been over a year since i've done this in practice, but in principal these commands should work.
I am trying to create a FPS (Fair play streaming)certificate but I am getting this error when I upload CSR file which I create by keychain access of mac system
These are some screenshots of creating CSR file using keychain access.
I am not able to understand what is the solution of this error ?
Use the instructions you have received in <FPS_Credential_Creation_Guide.pdf> as part of the Deployment package to generate certificate signed request (CSR). Then upload this file as CSR file.
OpenSSL
Apple provides the OpenSSL application on macOS. Use openssl from the command line to generate the public/private key pair, certificate signed request (CSR).
Generate key pair
openssl genrsa -aes256 -out privatekey.pem 1024
Generate CSR
openssl req -new -sha1 -key privatekey.pem -out certreq.csr \
-subj "/CN=SubjectName/OU=OrganizationalUnit/O=Organization/C=US"
In you screenshots you are choosing 2048 RSA, but the error message states 1024 RSA is expected. Did you try generating a key using 1024?
As the error message indicates, the Certificate Signing Request requires the RSA-2048 algorithm. As an alternative, you can use openSSL to generate the CSR via the following steps:
Execute the following openSSL command to create a private key:
openssl genrsa -out privateKey.key 2048
Execute the following openSSL command to generate a certificate signing request (CSR) from the private key:
openssl req -new -key privateKey.key -out certificateSigningRequest.csr
I have an IIS running that has a page, which has a link:
Plist
That links to:
[RequireHttps]
public ActionResult DownloadPlist()
{
return File(Url.Content("~/pathToPlist/file.plist"), "application/xml");
}
The link in the a href is utlimately:
itms-services://?action=download-manifest&url=https://myapp/test/downloadplist
I can take the last part https://myapp/test/downloadplist and access it in my browser, which presents me with the XML file. However when I try to install it using an iPad using the full itms link, it says:
Cannot connect to myapp
I have a self-signed certificate, created by IIS Manager and sent to my iPad through E-Mail. It can then be installed but it still says Not Trusted. I have a feeling that this is the problem but I am not 100% sure.
This is common problem if you create the certificate with IIS. The problem is that the machine name does not match the host name. This is also described in Section 3 of this article.
The best solution is to create your own CA. Then add the CA's certificate to the iOS device and sign your own certificate with your CA. See Section 5 of this article, copied below.
Create your own Certificate Authority (CA) root
certificate and then create certificates based on it.Instead of paying
a commercial CA to create SSL certificates on your behalf, you are
acting as your own CA. The advantage is that your custom CA
certificate only has to be installed once on each device. The devices
will then automatically trust any certificates you issue based on your
root CA certificate.
Creating the CA certificate
First create a private key file:
openssl genrsa -out myCA.key 2048 Then create the certificate: openssl req -x509 -new -key myCA.key -out myCA.cer -days 730 -subj /CN="My Custom CA"
The certificate file (myCA.cer) created above can be publicly shared and installed on iOS or other OS’s to act like
a built in trusted root CA.
The private key
file (myCA.key) is only used when creating new SSL certificates.You
can create as many certificates as you like based on this CA
certificate.
Create a CSR (Client Signing Request)
First you would create a private key:
openssl genrsa -out mycert1.key 2048 and then create the CSR: openssl req -new -out mycert1.req -key mycert1.key -subj /CN=www2.mysite.com
Then use the
CSR to create the certificate:
openssl x509 -req -in mycert1.req -out mycert1.cer -CAkey myCA.key -CA myCA.cer -days 365 -CAcreateserial -CAserial serial
The certificate created (mycert.cer) can be installed on a web server and
accessed from any iOS device that already has the CA certificate
installed.
I am trying to convert my rails application to work as https://. For testing purpose I created a self signed certificate using openssl. I am using nginx as web server. Then I configured the nginx using this certificate.
But while taking the application it shows https:// before the address but showing a result as
This webpage has a redirect loop, This webpage https://myapp.com has resulted too many redirects in chrome and another browsers are also showing redirect issues.
After too many research I found a clue like need to use chained certificate to fix this problem. Then I tried to create chains of certificate. The way I used is explaining below.
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
The I copied the ca.pem to
/etc/ssl/certs
and ca.key to
/etc/ssl/private
Then edited the openssl.conf as per needs and created two new directories CA and newcerts inside /etc/ssl.
and provide new serial and database file by running the following commands.
sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt
Then I created a client certificate by running the following commands.
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
This certificate is depends on ca.pem
Then I created a 3rd cerificate from the second cerificate means client.cer and that not depends on ca.pem using the following command.
# Create a certificate request
openssl req -new -keyout client1.key -out client1.request -days 365
# Create and sign the certificate
openssl ca -policy policy_anything -keyfile client.key -cert client.pem -out client1.pem -infiles client1.request
and changed the openssl.conf option
[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE
Now I have a certificate chain like
ca.pem -> client.pem -> client1.pem
How can I bundle these three certificates to create a chained certificate properly. I tried in my own way but it shows the same error.
Can anyone please help to solve the issue, Past one week am working on the problem.
Thanks
Regards
Redirect loop has nothing to do with certificate chain or certificate format for that matter. You have an error in either web server configration or application logic. I am guessing you are trying to redirect to https from http, but redirect is also served from https, so this results in a loop.
Google Chrome (and other browsers to some extend) caches redirects, so it might be hard to properly debug and fix the issue with loops (it might still redirect even though you fix the issue on the server/app side). Make sure your requests are hitting the backend, clear browser caches or tools like curl to properly debug the issue.