I'm trying to understand how iOS deals with certificates and I'm wondering if anyone can explain a few things to me. I'm working on a system that would provide users with a personal identification certificate for authentication to various services (email, Wi-Fi, websites, etc.) via a configuration profile. Profile creation isn't a problem, but in testing website authentication, it seems that iOS (or Mobile Safari) requires me to provide the CA certificates that should already be on the device.
Here is the certificate chain that my colleague provides me with when I get the user's cert:
AddTrust External CA Root ↳ UTN-USERFirst-Client Authentication and Email ↳ InCommon Standard Assurance Client CA ↳ User's personal certificate
At first, I added the certificate as a single payload of type com.apple.security.pkcs12 with all the CA certificates in the chain included in the p12 data blob. This didn't seem to work since I'd get a warning from MobileSafari in the console log:
no itentities, but we have a challenge <NSURLAuthenticationChallenge: 0x1ddccd90>
Along with the following dialog in the browser:
This website requires a certificate The required certificate is not installed. Dismiss
The server's ssl_error_log reported:
Re-negotiation handshake failed: Not accepted by client!?
So I tried breaking out the certs into individual payloads. According to this article, iOS 5 and 6 has "AddTrust External CA Root" and "UTN-USERFirst-Client Authentication and Email" preinstalled and I shouldn't have to install them again. So I just included "InCommon Standard Assurance Client CA" and the user's cert as two separate payloads (of types com.apple.security.pkcs1 and com.apple.security.pkcs12 respectively), but that didn't work. I was only able to get it to work if I installed the entire cert chain (using com.apple.security.root as the payload type for the root cert).
Why is that? Shouldn't it already know about the two CAs? I can understand adding the "InCommon" CA since it's not preinstalled, but It seems strange that I have to explicitly provide the other CA certs.
FWIW, I've found out that there are at least three versions of "UTN-USERFirst-Client Authentication and Email":
Intermediate CA (expires Saturday, May 30, 2020 6:48:38 AM EDT) Intermediate CA (expires Sunday, December 31, 2028 6:59:59 PM EDT) Root CA (expires Tuesday, July 9, 2019 1:36:58 PM EDT)
The root version is the one preinstalled in iOS. When I evaluate the user's cert with the Certificate Assistant in OS X, the cert status is good no matter what chain it uses, but could this multiple CA certs thing be an/the issue?