Client SSL Certificate Authentication

Sorry to dig this one up.

I've also got this working on an iPad running iOS 4.3.3 , however the requirements are to run 2048bit SSL.

2048bit CA and a 1024bit client certificate

Or

A 2048bit CA and a 2048bit client certificate, Safari on the iPad showed a loading symbol that kept refreshing in some kind of loop, it never stopped.

The Apache never sees a successful connection.

However with a 1024bit CA and a 1024bit certifiate everything works fine.

Does anyone know if its possible to use Apache, mutual SSL, or SSL with a client certificate for authentication, and 2048bit SSL with an iPad?

Is there any chance the mobile Safari will be upgraded to support this in iOS 5?

The Apache version is 2.0.59, all certificates were generated using openssl on Redhat linux.

Thanks

Hi,

I have setup the lab with IIS (Windows 2003 R2) and enabled Directory Services certificate mapping and required certificate authentication on web site.

Client Certificate Authentication works perfectly with one or more certificates on iPhone 4 (IOS 5). If you have only one certificate, mobile Safari does not ask you for certificate selection, it just authenticates you without any problem. If you have more certificates, then you have to select the wanted certificate and it works like a charm.

I am using 2048 bit RootCA key and 1024-bit and 2048-bit user certificates. It all work, so it does not depend on key lenght.

Important thing is that I am using only one level in PKI hierarhy, so only RootCA server.

In other lab, certificates are issued using 3-tier PKI hierarhy and Client Certificate authentication does not work. Mobile Safari does not ask for certificate and does not show any error message. There is only error message from IIS that this page requires certificate authentication.

It looks like that mobile Safari does not recognize certificates issued from 3-tier PKI. I did not try 2-tier PKI, will do that soon.

Any information from Apple on 3-tier PKI support?

Thanks,

Stibra

It is interesting that iPhone works with 2-tier PKI and client certificate authentication, but iPad does not work!!!

iPad for now works only with 1-tier PKI client certificates.

Just FYI, I was using a 2-tier PKI when I was testing with Apache.

Apple did offer there support for troublesooting the issue, as part of their enterprise support team, however the company I worked for ran out of ipads and budget 😟

There is no difference between IIS and Apache, they work both. There are problems only in IOS. Interesting thing is that iPhone supports 2-tier PKI for client certificates, and iPad do not.

Any rdp or Citrix client with support for client certificate authentication?

Sorry for error in previous post, there is no difference between iPhone and iPad, but between IOS version.

IOS 4.2 and 4.3 supports 2-tier PKI and IOS 5 DOES NOT SUPPORT 2-tier PKI. Why? Why????

Dear All,

Facing the same issue with safari client certificate authentication: Was someone able to find answer to the fact that IOS 4.x was OK with 2-tier PKI hierarchy and that IOS 5.x isn't ?

Yes, after detailed testing with different certificate sizes and different PKI hierachy, IOS 4.x works fine with 2-tier, while IOS 5.x supports only 1-tier PKI.

I do not have Apple support agreement, but would like to hear something officialy from Apple about that and when they plan to implement normal behaviour and support 2 and 3-tier PKI for certificate client authentication in Safari.