Skip navigation
This discussion is archived

Web based client SSL authentication

23258 Views 14 Replies Latest reply: May 13, 2009 8:43 AM by boole84 RSS
jvsmith Calculating status...
Currently Being Moderated
Aug 1, 2008 2:41 PM
I am looking for someone experienced with client SSL authentication via Safari on an iPhone (this is web browser based authentication, not VPN/Email/WiFi/etc).

I have had no success performing web based SSL mutual authentication with a client certificate on an iPhone.

Any advice which will allow me to get this function to work is appreciated.

I am using an iPhone 3G with the iPhone OS v2.0.

This is what I have found out to date:

Getting Safari to perform to perform ssl client authentication requires:
1. Generation of a public/private key pair.
2. Creation of a certificate request using the generated key pair.
3. Use of the public key to create a new certificate.
4. Installation to the phone of the root certificate + any trust chain intermediate certificates required to validate the new certificate.
5. Installation to the phone of the issued certificate + private key.
6. Use of the issued certificate + private key to perform client SSL authentication in Safari.

I have got steps 1-5 to work, but for step 6, the iPhone version of Safari does not send the client certificate to the server.

Functions that appear to be missing in the iPhone Safari certificate and SSL implementation:

1. No support for the html <keygen> tag.

This tag generates a public/private key pair, installs the private key in the OS keychain and sends the public key to the server in a spkac (signed public key and challenge).
I was able to get around this limitation by:
- generating a public/private key pair on a server.
- generating an spkac on a server.
- using the spkac to request a new certificate from a certificate authority.
This is not desirable but does allow other functions to be tested.

2. No support for installation of user certificates sent to the phone with the application/x-x509-user-cert mime type.

The application/x-x509-user-cert mime type instructs the client to install a certificate chain encoded in pkcs#7 format.
I was able to get around this limitation by:
- generating a password protected pkcs#12 (certificate+private key) containing the user certificate and distributing it to the iphone via any of the following means:
via a web page returning a application/x-pkcs12 mime type OR
via email OR
via embedding it + the device cert root certificate in a profile generated by the apple iPhone enterprise configuration utility and mailing to the phone.
- similarly the root certificate to establish the device certificate trust chain can be sent to the phone using the an iPhone accepted .cer file and application/x-x509-ca-cert mime type.
Distributing the root certificate in a file with a .crt extension should also work, but did not appear to for me, I needed to use a .cer or .cert extension to get the function to work.
It should be possible to embed the root certificate + trust path intermediate certificates in the pkcs#12 and have the iPhone install them from the pkcs#12, but this did not appear to work either.

3. No support for client SSL authentication within Safari.

Upon navigating to a site which wants client authentication, Safari is supposed to choose a list of certificates which match the client certificate criteria configured for the location on the https server and:
if only one certificate matches, auto submit the certificate to the server as part of the SSL negotiation OR
if more than one certificate exists, bring up the list of matching certificates in a UI so that a user can choose from the list to authenticate themselves to the server.
Safari on the iPhone does not do this and to the server it looks like there is no valid certificate present on the device, even though a valid certificate has already been installed on the phone.

All of the above functions, which are not supported in the iPhone, are supported from Safari running on an Intel based OS X Mac.
iPhone 3G, Other OS, iPhone OS v2.0
  • SupremeNemesis Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 25, 2008 4:29 AM (in response to jvsmith)
    I am hoping that Apple can do something about this. I am in a similar boat where I believe that the iPhone version of Safari is not handling the certificates the way it should.
    Real PC, Windows XP Pro, Applie iPhone 3G
  • tokatta Level 3 Level 3 (865 points)
    Currently Being Moderated
    Aug 25, 2008 2:11 PM (in response to jvsmith)
    All your steps to do this are valid and everything you describe indicates that it just does not work on the iPhone:

    1. If Safari on iPhone doesn't support keygen or any other method for requesting a client cert (and generating a private/public keypair)

    2. if the browser connects to a site requesting Client Cert auth as part of the SSL handhshake and Safari doesn't prompt for which cert to use

    Unfortunately Apple seems to be very closed mouthed regarding what is missing from a functional standpoint. I have only heard of people getting direct answers from the Genius Bar.
    Dell, Windows XP Pro, It is big and smokin'!
  • Wintrmte Calculating status...
    Currently Being Moderated
    Aug 26, 2008 7:24 AM (in response to tokatta)
    Piling on here as well. I promise, I'm not stalking you Supreme!

    As the others have indicated, we have not been able to get the iPhone to support client certificates in Safari or Email.

    Supreme - I'd like to stay in contact somehow outside of the forums, any suggestions?
    G4 Mini, Mac OS X (10.4.7)
  • nafrance Calculating status...
    Currently Being Moderated
    Sep 3, 2008 10:02 AM (in response to jvsmith)
    I've done some extensive testing (I work for a large CA) and can confirm that the iPhone's Mobile Safari does in fact support web-based client authentication. I've tested on both an iPhone 2G and the latest iPhone OS (2.0.2) on a 3G, via wifi and 3G.

    1) Sadly, you're right - no support for <keygen>. Apple really should add this.

    2) As you found out, the certificate & key pairs can be installed from a .pfx or .p12, provided they are emailed or served from a machine with the MIME types set as per the Enterprise Deployment Guide. As can the roots.

    3) This does, in fact, work. The iPhone will present a dialog explaining the site is requesting a certificate, and if more than one is available on the iPhone it will allow the user to choose.
    If your site with client-auth is not working, then it's likely your webserver does not require the client certificate - and Mobile Safari chooses not to send a certificate if not required (as does desktop Safari, except you can force it to use one via the new Identity Preferences in the keychain).

    I have a bit more info on my blog: http://nickf.net/post/48577888/on-ssl-client-authentication-and-the-iphone as well as some tinkering with client-authentication and none-Apache webservers.

    Hope that's of some help.
    Macbook Air & iPhone 3G, Mac OS X (10.5.4)
  • SupremeNemesis Level 1 Level 1 (0 points)
    Currently Being Moderated
    Sep 16, 2008 11:33 PM (in response to nafrance)
    OK. This is interesting now.... until my network admin shoots me down

    I installed the 2 certificates from the log file and then tested the site and it seemed to work perfectly. It offered the certificates on there and I chose the right one.

    When my network admin returns from leave, I will get him to have a look whether this should work the same in our scenario and fingers crossed that it will.

    I will report back here in a couple of weeks.
    Real PC, Windows XP Pro, Applie iPhone 3G
  • shawnfr Calculating status...
    Currently Being Moderated
    Nov 8, 2008 2:24 AM (in response to nafrance)
    Well I haven't had any luck getting an iPhone to present an SSL certificate to an IIS7 ASP.Net webserver.
    The same .p12 certificate works on IE7, PocketIE (WM6), Firefox and Safari (PC version). The website is set to Require an SSL certificate. From the Windows Mobile or PC browsers, you get a prompt for the client certificate. I have tried Nick's website and the iPhone will prompt to choose between his and my certificates, however with IIS7 you just get a 403.7 client SSL certificate required error.
    I have turned on SSL tracing in HTTP.Sys and get the following (edited for length) :

    <Opcode>SslInititateSslRcvClientCert</Opcode>
    - <Keywords>
    <Keyword>Flagged on all HTTP events handling ssl interactions</Keyword>
    </Keywords>
    <Task>HTTP SSL Trace Task</Task>
    <Message>Server application is attempting to receive the SSL client certificate, which will be provided if available. If the client certificate is not available, a renegotiation will be initiated.</Message>
    <Channel>HTTP Service Channel</Channel>
    <Provider>Microsoft-Windows-HttpService</Provider>

    ... then after various SSL negotiations and receive raw data traces I see...

    <Opcode>SslRcvClientCertFailed</Opcode>
    - <Keywords>
    <Keyword>Flagged on all HTTP events handling ssl interactions</Keyword>
    </Keywords>
    <Task>HTTP SSL Trace Task</Task>
    <Message>Attempt by server application to receive client certificate failed with status: 0xC0000225.</Message>
    <Channel>HTTP Service Channel</Channel>
    <Provider>Microsoft-Windows-HttpService</Provider>

    Which basically seems to mean a "not found" error.

    Anyone had any luck with iPhone to IIS 7 (which we have to use as it is an ASP.Net website)?
  • shawnfr Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 21, 2008 9:05 AM (in response to shawnfr)
    I have confirmed that the latest 2.2 Firmware still has the same problem with SSL client certificates not being presented to IIS 7.

    I guess I am going to have to see how to raise a support issue with Apple.
  • SupremeNemesis Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 23, 2008 3:18 PM (in response to shawnfr)
    I was hpoing that this release might address this issue, but alas it seems not to.

    Use the feedback form http://www.apple.com/feedback/iphone.html as we need people to advise them,so they are aware of how many people need this...
    Real PC, Windows XP Pro, Applie iPhone 3G
  • shawnfr Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 26, 2008 12:27 AM (in response to SupremeNemesis)
    I will give them some feedback...
    I have found out some more information on the IIS7 problem. It turns out that Safari in OS X 10.5 has the same problem and doesn't put up the SSL Certificate selection dialog. However what people appear to do to work round Apple's bug is to use KeyChain to create an identity profile for the website using the right SSL client certificate... but and it is a BIG BUT... you have to do that for every single web page you access using the client certificate!
    That's just a crazy work around on OS X, but I can't see the equivalent of KeyChain Identity Profiles on the iPhone.
  • sinm Level 1 Level 1 (0 points)
    Currently Being Moderated
    Feb 24, 2009 1:27 AM (in response to shawnfr)
    I have similar problem. Cant get it working with IIS... Any solutions?
    lenovo t61, Windows XP Pro
  • ILoveTOFU Calculating status...
    Currently Being Moderated
    Apr 13, 2009 2:24 PM (in response to shawnfr)
    Does anyone know if the issue with certificates in the 2.2 firmware release also has issue with IIS 6? From my tests, it seems like it does, but would really appreciate it if someone could confirm. Also, this seems to affect activesync (also talking to a server running IIS 6.)
    Has anyone been able to get client cert-auth working with the iphone running firmware version 2.2 with activesync?
  • boole84 Calculating status...
    Currently Being Moderated
    May 12, 2009 2:22 AM (in response to ILoveTOFU)
    Hi guys I'd like to jump in here for testing and help with getting iPhone->client-auth->IIS working, I have got SSL client-auth working with Apache 2.2-win32 but the excact same setup on IIS 6-win32 does NOT WORK, you get presented with requires client certificate error, even though it works on Safari-win32 and Firefox-win32.

    I am on iPhone 3G 2.2.0 (iPhone1,22.2_5G77Restore.ipsw)

    I can think of two things to try:
    1. Upgrade iPhone to 2.2.1
    2. Upgrade IIS-win32.

    I am going to test these out later this evening, I will post back with my finds.
    Custom, Windows XP
  • boole84 Level 1 Level 1 (0 points)
    Currently Being Moderated
    May 13, 2009 8:43 AM (in response to boole84)
    I have tested with iPhone 3g firmware 2.2.0 and 2.2.1 on IIS 5.1, 6 & 7 and it doesn't work.

    It still works on Apache though.

    I will just have to use apache for this auth I suppose.
    Custom, Windows XP

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.