Q: 802.1X certificate not trusted - can it be?
I'm hoping to replace "Not Trusted" with "Trusted" during wifi authentication. The software involved is iOS 9.2 and OS 10.11.2.
I work for a university which provides wifi to users authenticated by RADIUS under the eduroam organisation. We're both a service provider and an identity provider.
When a user first connects to eduroam and enters their credentials, they're presented with the certificate of their IdP. That's usually us. iOS presents this as "Not Trusted" to the user. Understandably, some of our users get worried about this, and make a call to the service desk. It's possible to read the CN of the certificate, and it's signed by an accepted root CA, but the big red text causes concern.
From my searches around the web, Apple don't seem to have made a statement on the difference between "Not Trusted" and presumably "Trusted". The best source is a reddit thread explaining that a user must verify the certificate manually, because there's no other way to be reasonably sure that the certificate matches the wireless network.
If so, then why are signed .mobileconfig profiles treated differently and labelled "Verified"? I've created a .mobileconfig with very little content: SSID=eduroam, auth via TTLS or PEAP, and the CN of the expected certificate (but not a copy of it). It's presented as "Not Signed". I've then signed the profile with the same certificate we present during auth, and iOS accepts it as "Verified". Users still need to approve it, but they're much more comfortable doing so.
So: if presented during authentication, the certificate is untrusted. If presented as the signatory of a .mobileconfig, the certificate is trusted.
Why?
Other thoughts:
We are largely BYOD so cannot preinstall profiles on our users' devices, although we can present one if necessary.
Our certificate is signed with SHA-1, but a new certificate with SHA-256 exhibits the same behaviour (not trusted during 802.1X auth). We'll be deploying the new certificate soon.
Yes, I'm really asking about presenting pretty "secure" text.
iPhone 6s, iOS 9.2
Posted on Dec 16, 2015 8:03 PM