Error with client certficate auth on website. iOS7 - OK. iOS8 - error.

We are experiencing the same problem with many devices, from iPhone 4's to iPad Air's.

It certainly is something in iOS 8.0.2 that is handling these certificates differently than in 7.x.

I am doing additional testing to try to isolate and ultimately work towards a resolution.

If you figure it out, please post your findings ... as will I.

Version Info: 2008-R2 / IIS 7.5

https://www.mikestoolbox.net did give me a prompt for cert selection, but it is not the same as on iOS 7.x (I get 2 options, App Storefront and the client cert). On iOS 7.x I do not get a prompt for any cert and it automatically uses the correct one.

Was:

Protocol: TLSv1

Cipher: AES128-SHA

RESULT: Failed

Now:

(Used IIS Crypto - "Best Practices" )

Protocol: TLSv1.2

Cipher: ECDHE-RSA-AES256-SHA384

RESULT: Failed

Used iCurlHTTP app from both devices. Gives good info but it cannot present client cert so I can't see a successful connection from iOS 7.x with it.

Chrome on 7.x appears to not access certs either as it fails just like Safari on iOS 8.x

SSL Detective immediately crashes on iOS 8.x

You have any new results?

It appears that MIT is not having any problems with cert-based auth with iOS 8.x:

http://kb.mit.edu/confluence/display/istcontrib/iOS+Certificate+Support

Their matrix shows that all of their sites are working fine.

I think the reason that https://www.mikestoolbox.net prompts for additional certs it because there are no trusted certs on iOS to match to the chain received from the server. (For IIS see "SendTrustedIssuerList")

Not sure if there is anything that can be accomplished from the server side.

I just tested a developer version of iOS 8.1 and the issue has been resolved.

Still going to try to figure out a "fix" (as others do not have this issue) because 8.1 may not come out for another few weeks ... unofficially.

The second image did not upload successfully. I am curious about the on device cert.

I assumed you were having issues with an on-prem CA ... not a 3rp Party CA.

I would expect that you may have a better chance of getting your issue resolved that me as I have an internal CA (MS ADCS).

You even have the option to engage Thawte support.

Are the only user with this problem?

I do not think you can do what you are trying to do. You are trying to establish a secure and authenticated session between a trusted 3rd Party cert and a self-signed one (regardless that you have your own CA).

I am using an internal CA for both the server cert and the client cert. Also, both the root and intermediate certs in the chain are trusted on both the server and the client.

Hey there - I think I have a similar issue. Been checking out this thread and want to chime in with what I am seeing.

We have an IIS webserver that is secured with a publicly signed SSL certificate. Authentication is happening via SSL client certificate deployed to the iOS device, which is signed by a private CA (both private and public CA happen to be Entrust).

IIS 7.5, ADFS 2.0. With iOS7 authentication goes right through with one certificate. If multiple are installed, it prompts you for which to send. with iOS8 we are never seeing the certificate prompt. We immediately get a 403 error, which means we did not send a certificate. If we sent the wrong certificate or a bad certificate we will get a different error.

We can go to Mikes toolbox and another Cisco VPN site we have that requests a certificate and we can send it along for authentication. However, when going to the ADFS site it never prompts us for the certificate.

I tried setting SendTrustedIssuerList to 0 but it did not resolve the issue.

A colleague is working on getting the 8.1 beta for us to try it.

Seeing strange stuff when we are prompted for a certificate, sometimes it shows the CN of the certificate, sometimes it shows the thumbprint as well.