1

I have an IIS running that has a page, which has a link:

<a href="itms-services://?action=download-manifest&url=@Url.Action("DownloadPlist", "Test", null, "https")">Plist</a>

That links to:

[RequireHttps]
public ActionResult DownloadPlist()
{
    return File(Url.Content("~/pathToPlist/file.plist"), "application/xml");
}

The link in the a href is utlimately:

itms-services://?action=download-manifest&url=https://myapp/test/downloadplist

I can take the last part https://myapp/test/downloadplist and access it in my browser, which presents me with the XML file. However when I try to install it using an iPad using the full itms link, it says:

Cannot connect to myapp

I have a self-signed certificate, created by IIS Manager and sent to my iPad through E-Mail. It can then be installed but it still says Not Trusted. I have a feeling that this is the problem but I am not 100% sure.

Kevin Lee
  • 1,104
  • 3
  • 13
  • 33

1 Answers1

1

This is common problem if you create the certificate with IIS. The problem is that the machine name does not match the host name. This is also described in Section 3 of this article.

The best solution is to create your own CA. Then add the CA's certificate to the iOS device and sign your own certificate with your CA. See Section 5 of this article, copied below.

Create your own Certificate Authority (CA) root

certificate and then create certificates based on it.Instead of paying a commercial CA to create SSL certificates on your behalf, you are acting as your own CA. The advantage is that your custom CA certificate only has to be installed once on each device. The devices will then automatically trust any certificates you issue based on your root CA certificate.

Creating the CA certificate

First create a private key file:

openssl genrsa -out myCA.key 2048 Then create the certificate: openssl req -x509 -new -key myCA.key -out myCA.cer -days 730 -subj /CN="My Custom CA"

The certificate file (myCA.cer) created above can be publicly shared and installed on iOS or other OS’s to act like a built in trusted root CA.

The private key file (myCA.key) is only used when creating new SSL certificates.You can create as many certificates as you like based on this CA certificate.

Create a CSR (Client Signing Request)

First you would create a private key:

openssl genrsa -out mycert1.key 2048 and then create the CSR: openssl req -new -out mycert1.req -key mycert1.key -subj /CN=www2.mysite.com

Then use the CSR to create the certificate:

openssl x509 -req -in mycert1.req -out mycert1.cer -CAkey myCA.key -CA myCA.cer -days 365 -CAcreateserial -CAserial serial

The certificate created (mycert.cer) can be installed on a web server and accessed from any iOS device that already has the CA certificate installed.

orkoden
  • 18,946
  • 4
  • 59
  • 50
  • 1
    *"The best solution is to create your own CA..."* - that still won't fix the underlying problem of an incorrect DNS name. The browsers and similar software will still reject it. Also, DNS names are *not* suppose to be placed in the Common Name (i.e., `/CN=www2.mysite.com`). DNS names go in the Subject Alternate Name (`SAN`). – jww Sep 05 '14 at 14:21
  • The underlying problem is that the certificate @kevin-lee wants to install on the iOS device is the wrong one. The CA's certificate needs to be installed. The instructions for creating an SSL certificate are copied from the linked page. It might contain incomplete or incorrect information. There are other [guides and even tools](http://stackoverflow.com/a/22367111/1329214) that describe these steps better. – orkoden Sep 05 '14 at 15:12
  • 1
    @orkoden Sorry for the late reply. Took a while for the my company department to set this up. I can confirm that this works. – Kevin Lee Sep 12 '14 at 11:08