Apple Intelligence is now available on iPhone, iPad, and Mac!

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Error with client certficate auth on website. iOS7 - OK. iOS8 - error.

I have https website with user certificate auth.


My certificate was generated with options:

  • Certificate key usage: digitalSignature keyEncipherment
  • Extended jey usage: clientAuth



Web server

  • Windows 2008
  • IIS 7.5
  • Server linked to Active directory and check user certificates.


IIS is configured to require SSL user certificate.


User uploaded file

On my iPhone 5s was installed iOS 7.* and everything works fine.

After updating os to version 8.0.2 i am getting error 403.7 (Safari dont send user sertificate).


We take new iphone 5s (ios 8.0.2) and upload the same user certificate. Exec Safari, load website and got the same error.


What was changed in iOS 8 than downt allow us to use user certificates to auth on corporate websites?

iPhone 5s, iOS 8, Any iphone, ipad with iOS 8

Posted on Oct 1, 2014 6:04 AM

Reply
18 replies

Oct 1, 2014 2:56 PM in response to Ar2r

We are experiencing the same problem with many devices, from iPhone 4's to iPad Air's.

It certainly is something in iOS 8.0.2 that is handling these certificates differently than in 7.x.

I am doing additional testing to try to isolate and ultimately work towards a resolution.

If you figure it out, please post your findings ... as will I.

Oct 1, 2014 11:23 PM in response to JJ-USA

I try to config using this manual:http://www.lifeasasysadmin.com/require-client-certificates-in-iis-7-5/


clientcertnegotiation=Enable - not a solution.


Here is a link to test https://www.mikestoolbox.net This website asks browser user certificate on iOS 7 and iOS 8(!!!)

I think that problem with configuration of web server.

Do you try to use TLS 1.2?

http://jackstromberg.com/2013/09/enabling-tls-1-2-on-iis-7-5-for-256-bit-cipher- strength/


What`s web server are you using?

Oct 2, 2014 9:18 AM in response to Ar2r

Version Info: 2008-R2 / IIS 7.5

https://www.mikestoolbox.net did give me a prompt for cert selection, but it is not the same as on iOS 7.x (I get 2 options, App Storefront and the client cert). On iOS 7.x I do not get a prompt for any cert and it automatically uses the correct one.

Was:

Protocol: TLSv1

Cipher: AES128-SHA

RESULT: Failed


Now:

(Used IIS Crypto - "Best Practices" )

Protocol: TLSv1.2

Cipher: ECDHE-RSA-AES256-SHA384

RESULT: Failed


Used iCurlHTTP app from both devices. Gives good info but it cannot present client cert so I can't see a successful connection from iOS 7.x with it.

Chrome on 7.x appears to not access certs either as it fails just like Safari on iOS 8.x

SSL Detective immediately crashes on iOS 8.x


You have any new results?

Oct 3, 2014 7:11 AM in response to Ar2r

The second image did not upload successfully. I am curious about the on device cert.

I assumed you were having issues with an on-prem CA ... not a 3rp Party CA.

I would expect that you may have a better chance of getting your issue resolved that me as I have an internal CA (MS ADCS).

You even have the option to engage Thawte support.

Oct 6, 2014 7:55 AM in response to Ar2r

Are the only user with this problem?

I do not think you can do what you are trying to do. You are trying to establish a secure and authenticated session between a trusted 3rd Party cert and a self-signed one (regardless that you have your own CA).


I am using an internal CA for both the server cert and the client cert. Also, both the root and intermediate certs in the chain are trusted on both the server and the client.

Oct 6, 2014 1:52 PM in response to JJ-USA

Hey there - I think I have a similar issue. Been checking out this thread and want to chime in with what I am seeing.


We have an IIS webserver that is secured with a publicly signed SSL certificate. Authentication is happening via SSL client certificate deployed to the iOS device, which is signed by a private CA (both private and public CA happen to be Entrust).


IIS 7.5, ADFS 2.0. With iOS7 authentication goes right through with one certificate. If multiple are installed, it prompts you for which to send. with iOS8 we are never seeing the certificate prompt. We immediately get a 403 error, which means we did not send a certificate. If we sent the wrong certificate or a bad certificate we will get a different error.


We can go to Mikes toolbox and another Cisco VPN site we have that requests a certificate and we can send it along for authentication. However, when going to the ADFS site it never prompts us for the certificate.


I tried setting SendTrustedIssuerList to 0 but it did not resolve the issue.

A colleague is working on getting the 8.1 beta for us to try it.

Seeing strange stuff when we are prompted for a certificate, sometimes it shows the CN of the certificate, sometimes it shows the thumbprint as well.

Error with client certficate auth on website. iOS7 - OK. iOS8 - error.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.