Web based client SSL authentication
I am looking for someone experienced with client SSL authentication via Safari on an iPhone (this is web browser based authentication, not VPN/Email/WiFi/etc).
I have had no success performing web based SSL mutual authentication with a client certificate on an iPhone.
Any advice which will allow me to get this function to work is appreciated.
I am using an iPhone 3G with the iPhone OS v2.0.
This is what I have found out to date:
Getting Safari to perform to perform ssl client authentication requires:
1. Generation of a public/private key pair.
2. Creation of a certificate request using the generated key pair.
3. Use of the public key to create a new certificate.
4. Installation to the phone of the root certificate + any trust chain intermediate certificates required to validate the new certificate.
5. Installation to the phone of the issued certificate + private key.
6. Use of the issued certificate + private key to perform client SSL authentication in Safari.
I have got steps 1-5 to work, but for step 6, the iPhone version of Safari does not send the client certificate to the server.
Functions that appear to be missing in the iPhone Safari certificate and SSL implementation:
1. No support for the html <keygen> tag.
This tag generates a public/private key pair, installs the private key in the OS keychain and sends the public key to the server in a spkac (signed public key and challenge).
I was able to get around this limitation by:
- generating a public/private key pair on a server.
- generating an spkac on a server.
- using the spkac to request a new certificate from a certificate authority.
This is not desirable but does allow other functions to be tested.
2. No support for installation of user certificates sent to the phone with the application/x-x509-user-cert mime type.
The application/x-x509-user-cert mime type instructs the client to install a certificate chain encoded in pkcs#7 format.
I was able to get around this limitation by:
- generating a password protected pkcs#12 (certificate+private key) containing the user certificate and distributing it to the iphone via any of the following means:
via a web page returning a application/x-pkcs12 mime type OR
via email OR
via embedding it + the device cert root certificate in a profile generated by the apple iPhone enterprise configuration utility and mailing to the phone.
- similarly the root certificate to establish the device certificate trust chain can be sent to the phone using the an iPhone accepted .cer file and application/x-x509-ca-cert mime type.
Distributing the root certificate in a file with a .crt extension should also work, but did not appear to for me, I needed to use a .cer or .cert extension to get the function to work.
It should be possible to embed the root certificate + trust path intermediate certificates in the pkcs#12 and have the iPhone install them from the pkcs#12, but this did not appear to work either.
3. No support for client SSL authentication within Safari.
Upon navigating to a site which wants client authentication, Safari is supposed to choose a list of certificates which match the client certificate criteria configured for the location on the https server and:
if only one certificate matches, auto submit the certificate to the server as part of the SSL negotiation OR
if more than one certificate exists, bring up the list of matching certificates in a UI so that a user can choose from the list to authenticate themselves to the server.
Safari on the iPhone does not do this and to the server it looks like there is no valid certificate present on the device, even though a valid certificate has already been installed on the phone.
All of the above functions, which are not supported in the iPhone, are supported from Safari running on an Intel based OS X Mac.
I have had no success performing web based SSL mutual authentication with a client certificate on an iPhone.
Any advice which will allow me to get this function to work is appreciated.
I am using an iPhone 3G with the iPhone OS v2.0.
This is what I have found out to date:
Getting Safari to perform to perform ssl client authentication requires:
1. Generation of a public/private key pair.
2. Creation of a certificate request using the generated key pair.
3. Use of the public key to create a new certificate.
4. Installation to the phone of the root certificate + any trust chain intermediate certificates required to validate the new certificate.
5. Installation to the phone of the issued certificate + private key.
6. Use of the issued certificate + private key to perform client SSL authentication in Safari.
I have got steps 1-5 to work, but for step 6, the iPhone version of Safari does not send the client certificate to the server.
Functions that appear to be missing in the iPhone Safari certificate and SSL implementation:
1. No support for the html <keygen> tag.
This tag generates a public/private key pair, installs the private key in the OS keychain and sends the public key to the server in a spkac (signed public key and challenge).
I was able to get around this limitation by:
- generating a public/private key pair on a server.
- generating an spkac on a server.
- using the spkac to request a new certificate from a certificate authority.
This is not desirable but does allow other functions to be tested.
2. No support for installation of user certificates sent to the phone with the application/x-x509-user-cert mime type.
The application/x-x509-user-cert mime type instructs the client to install a certificate chain encoded in pkcs#7 format.
I was able to get around this limitation by:
- generating a password protected pkcs#12 (certificate+private key) containing the user certificate and distributing it to the iphone via any of the following means:
via a web page returning a application/x-pkcs12 mime type OR
via email OR
via embedding it + the device cert root certificate in a profile generated by the apple iPhone enterprise configuration utility and mailing to the phone.
- similarly the root certificate to establish the device certificate trust chain can be sent to the phone using the an iPhone accepted .cer file and application/x-x509-ca-cert mime type.
Distributing the root certificate in a file with a .crt extension should also work, but did not appear to for me, I needed to use a .cer or .cert extension to get the function to work.
It should be possible to embed the root certificate + trust path intermediate certificates in the pkcs#12 and have the iPhone install them from the pkcs#12, but this did not appear to work either.
3. No support for client SSL authentication within Safari.
Upon navigating to a site which wants client authentication, Safari is supposed to choose a list of certificates which match the client certificate criteria configured for the location on the https server and:
if only one certificate matches, auto submit the certificate to the server as part of the SSL negotiation OR
if more than one certificate exists, bring up the list of matching certificates in a UI so that a user can choose from the list to authenticate themselves to the server.
Safari on the iPhone does not do this and to the server it looks like there is no valid certificate present on the device, even though a valid certificate has already been installed on the phone.
All of the above functions, which are not supported in the iPhone, are supported from Safari running on an Intel based OS X Mac.
iPhone 3G, Other OS, iPhone OS v2.0
