Using client certificates in iOS

  • strict warning: Only variables should be passed by reference in /var/sites/e/ on line 61.
  • strict warning: Declaration of views_handler_field_user_name::init() should be compatible with views_handler_field_user::init(&$view, $data) in /var/sites/e/ on line 61.
Jonukas's picture


Joined: Mar 21, 2013
No votes yet

Hi all,

I'm trying to understand how iOS deals with certificates and I'm wondering if anyone can explain a few things to me. I'm working on a system that would provide users with a personal identification certificate for authentication to various services (email, Wi-Fi, websites, etc.) via a configuration profile. Profile creation isn't a problem, but in testing website authentication, it seems that iOS (or Mobile Safari) requires me to provide the CA certificates that should already be on the device.

Here is the certificate chain that my colleague provides me with when I get the user's cert:

AddTrust External CA Root
 ↳ UTN-USERFirst-Client Authentication and Email
    ↳ InCommon Standard Assurance Client CA
       ↳ User's personal certificate

At first, I added the certificate as a single payload of type with all the CA certificates in the chain included in the p12 data blob. This didn't seem to work since I'd get a warning from MobileSafari in the console log:

no itentities, but we have a challenge <NSURLAuthenticationChallenge: 0x1ddccd90>

Along with the following dialog in the browser:

This website requires a certificate
The required certificate is not installed.

The server's ssl_error_log reported:

Re-negotiation handshake failed: Not accepted by client!?

So I tried breaking out the certs into individual payloads. According to this article, iOS 5 and 6 has "AddTrust External CA Root" and "UTN-USERFirst-Client Authentication and Email" preinstalled and I shouldn't have to install them again. So I just included "InCommon Standard Assurance Client CA" and the user's cert as two separate payloads (of types and respectively), but that didn't work. I was only able to get it to work if I installed the entire cert chain (using as the payload type for the root cert).

Why is that? Shouldn't it already know about the two CAs? I can understand adding the "InCommon" CA since it's not preinstalled, but It seems strange that I have to explicitly provide the other CA certs.

FWIW, I've found out that there are at least three versions of "UTN-USERFirst-Client Authentication and Email":

Intermediate CA (expires Saturday, May 30, 2020 6:48:38 AM EDT)
Intermediate CA (expires Sunday, December 31, 2028 6:59:59 PM EDT)
Root CA (expires Tuesday, July 9, 2019 1:36:58 PM EDT)

The root version is the one preinstalled in iOS. When I evaluate the user's cert with the Certificate Assistant in OS X, the cert status is good no matter what chain it uses, but could this multiple CA certs thing be an/the issue?


Who is online?

There are currently 0 admins, 0 users and 123 guests online. Connected users: .

Recent Activity