7

I'm using the NEVPNManager to create a personal VPN for my iOS app which is working. Now I'm trying to install a root CA certificate that can be used by all apps. I understand the user will need to trust this certificate under General -> About - Certificate Trust Settings. I'm trying to automate as much of this process as possible. The two ways I've found to attempt to do this are either:

1) Open Safari with a URL to the root certificate hosted on a website and iOS will prompt the user to install the certificate as a profile.

2) Install the certificate pragmatically within the app.

Option #1 works, but after the user installs the certificate they are not take back to the app and still have to manually go in and trust the certificate in the Certificate Trust Settings.

With option #2 if SecItemAdd is used it is only added to the keychain for the sandbox for my app and not available to other apps. The only option I have seen to make if available to other apps it to increase it's trust level as shown here, but this seems to require an old open source library from Apple that I was not able to get to build.

So, what is the best option to accomplish installing the root certificate and prompting the user to make it trusted? If it is possible through #2, any ideas how I build and then incorporate that library into my app? If I'm left with #1, what is the best way to simplify the process for the user?

iOS Certificate Trust Settings

Community
  • 1
  • 1
Austin
  • 4,638
  • 7
  • 41
  • 60

1 Answers1

8

SecTrustSettingsSetTrustSettings and related symbols are private API and your app will be rejected by Apple on submission. Even if you manage to compile this open source, it will still export the private symbols, and your app will be rejected.

Instead, you should use the openURL: API and point to a .p12 file, either locally hosted (by using an in-app web server) or remote. The .p12 file should include the certificate chain.

This will open the Settings app and ask the user to install the certificate. Once the user installs, all applications on the device will trust it.

Léo Natan
  • 56,823
  • 9
  • 150
  • 195
  • Great, thanks Leo. That's the direction I've decided to go, just wanted to verify there was no way to do it programmatically. – Austin Apr 20 '17 at 15:02
  • Cheers. I'm not sure why Apple does not expose the full API. There is certainly capability for it in the UI. I guess they think it's dangerous with regard to the sandbox, but the net result of the above method is the same. – Léo Natan Apr 20 '17 at 15:13
  • Make sure to open an enhancement report with Apple. – Léo Natan Apr 20 '17 at 15:13
  • Can you please share how to install the certificate with openURL ? I can't open the Settings app (trying to install certificate of type .cer ) – Witterquick May 01 '17 at 10:29
  • 2
    @Roee84 You don't do it through the settings app directly. You'll need to host your .cer file on a server somewhere and then do openURL to the url where the .cer file is hosted. That will open Safari which will then open the settings App to install the cer certificate as a new profile on the device. – Austin May 01 '17 at 16:40
  • 10x! Will try that, but isn't it possible to attach the .cer file to the app bundle and install it from there? – Witterquick May 01 '17 at 17:34
  • 1
    @Roee84 In that case you'd need an in-app web server. That has been done in many apps. – Léo Natan May 01 '17 at 17:35
  • Thanks! will try that one as well – Witterquick May 01 '17 at 19:43