RESTful Service with Self Signed SSL

Question

We are building an end to end solution that will allow our customers to access their ERP data hosted in their own servers through mobile applications. Version 1 will be an iOS app.

We need to make sure the traffic between the client and the server is encrypted with SSL. The problem lies in that we want the installation of the server to be as seamless as possible, hence we don't want the customer to go through the process of buying and installing SSL Certificates. Not even mentioning having to renew that certificate every year.

We were thinking of creating a self signed CA certificate and use it to create child certificates for each client to install on their servers (along with the public CA certificate). We would automate the process of creating the child certificate and include it as part of the setup process. The certificate will also have a very long expiration date as to not dealing with expirations. But if we use this certificate the requests from the client won't be trusted as the CA won't be trusted.

Can the CA be added to the iOS app or device?
Is there a security concern with this implementation?

For 1. checkout [ How to use NSURLConnection to connect with SSL for an untrusted cert?][1] [1]: http://stackoverflow.com/questions/933331/how-to-use-nsurlconnection-to-connect-with-ssl-for-an-untrusted-cert — CarlJ, Jan 28 '13 at 15:32
Thanks for the suggestion I need to make sure it works with all clients: iOs, Android, Windows — Jonas Stawski, Jan 28 '13 at 16:33

score 2 · Answer 1 · answered Nov 06 '13 at 15:02

2

I have a very similar situation. So far I have just created self signed certificates and just programmed the clients to ignore allow untrusted SSL certificates. If there is a better answer I'd love to hear it.

answered Nov 06 '13 at 15:02

Hackmodford

3,901
4
35
78

could you please share how to do this? – Gopal Singh Sirvi Apr 13 '16 at 10:59
@GopalSinghSirvi Which part? – Hackmodford Apr 13 '16 at 19:26
whole thing.. how to generate self signed ssl and apply it on andorid and web api application – Gopal Singh Sirvi Apr 14 '16 at 04:40

score 2 · Answer 2 · edited May 23 '17 at 11:47

It is 2017 and letsencrypt now exists, which provides free domain validation and signing of TLS certificates such that browsers / OS HTTPS or TLS libraries and frameworks will accept them, and through certbot it is relatively easy to set up auto-renewal. I won't describe it here because it's deployment specific, but they have good docs. Combined they're probably the best solution out there.

Bundling and using self-signed certificates is seriously sub-optimal for various reasons, and there's no reason to do it anymore (except perhaps gross laziness), so don't.

Free is only for basic domain-validated certificates, i.e. where letsencrypt.org validates that you own the domain that you say you do (and certbot is used to automate that process). You still need to pay for extra verification steps if you want them. However, for internal TLS connections between your app and your server, you only really need domain validated, because you only have to be sure you are talking to your server. The extra steps are more focussed on giving a customer confidence in a company, so they can give over sensitive data with greater peace of mind. Generally speaking if they are using you app, that suggests they trust your company already, so the extra validation is not important (and probably invisible to the customer anyway).

In development if you want to use self-signed certificates this may still make sense. Check out my answer to this question on how to install self-signed certificates for all apps on your iOS device.

RESTful Service with Self Signed SSL

2 Answers2