Can NSURLConnection use a client certificate installed in profiles on the device?

StackOverflow https://stackoverflow.com/questions/15039956

Question

I have this setup:

  1. A tomcat server configured to use ssl client certificate authentication (clientAuth=true)
  2. An ipad with a valid client certificate installed on it (emailed as a .p12 file and visible under profiles)

When browsing via ios safari, the ipad uses the client cert and authenticates against the server fine.

However in code, using a NSURLConnection, it won't connect. Debugging on the server shows the client isnt sending and cert at all.

On the client I get an error like this:

Request(https://192.168.1.5:8443/device/security/policy>, 0, 0)) didFailWithError:Error   Domain=NSURLErrorDomain Code=-1205 "The server “192.168.1.5” did not accept the certificate." UserInfo=0xe2eae30
{NSErrorFailingURLStringKey=https://192.168.1.5:8443/device/security/policy>, NSErrorFailingURLKey=https://192.168.1.5:8443/device/security/policy>, NSLocalizedDescription=The server “192.168.1.5” did not accept the certificate.,
NSUnderlyingError=0xe2eb250 "The server “192.168.1.5” did not accept the certificate.",  NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0xe6ab010>}

I understand I can implement the delegate method for the challenge for the NSURLAuthenticationMethodClientCertificate protection space, but if I do that I dont have the certificate to send, its installed on the device and that isnt accessible via code (is it??) I tried calling [challenge.sender performDefaultHandlingForAuthenticationChallenge:challenge] but that appeared to have no effect.

I was expecting that NSURLConnection would behave as per safari and access the installed certificate, but it appears not. I dont want to have to install the certificate into my app somehow - thats what the built in certificate management is for!

Or am I missing something? Any help appreciated.

Was it helpful?

Solution

Fundamentally you can't get at globally installed certificates from within an app in iOS (as of iOS 8), and the operating system won't help you out by sending them with an NSURLConnection. Safari has special rights to access the certificates. So the only way to use them from within an app is to install them into the app somehow, which makes the whole thing difficult.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top