4

I want to create a certificate programmatically within an iOS app. The closest API I could find is SecCertificateCreateWithData which requires a DER encoded binary input.

Given that I have all the data needed available as runtime objects, How can I construct the DER encoded binary data input ?

Kara
  • 6,115
  • 16
  • 50
  • 57
Jamil
  • 641
  • 1
  • 7
  • 17

2 Answers2

6

This is how it can be doen:

NSString* certPath = [[NSBundle mainBundle] pathForResource:@"myCertificate" ofType:@"cer"];
NSData* certData = [NSData dataWithContentsOfFile:certPath];
SecCertificateRef cert;
if( [certData length] ) {
    cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);
    if( cert != NULL ) {
        CFStringRef certSummary = SecCertificateCopySubjectSummary(cert);
        NSString* summaryString = [[NSString alloc] initWithString:(__bridge NSString*)certSummary];
        NSLog(@"CERT SUMMARY: %@", summaryString);
        CFRelease(certSummary);
    } else {
        NSLog(@" *** ERROR *** trying to create the SSL certificate from data located at %@, but failed", certPath);
    }
}
// play with cert here

myCertificate.cer must be in your application bundle. I create the cer file with openssl. If you are planning to use this in iOS application, make sure your certificate contains required extensions, check here. Even though the answer is -1, it helped me to get this running.

Community
  • 1
  • 1
lawicko
  • 7,246
  • 3
  • 37
  • 49
  • Hi @lawick, the solution you are proposing is copying an existing certificate "myCertificate.cer". My question is about creating a certificate programmatically rather than copying an existing one. I have all the details needed (e.g. keys , user details, etc...). – Jamil Mar 14 '12 at 11:20
  • Sorry, I misunderstood your question. The DER data is already a certificate, so the **SecCertificateCreateWithData** method will not help you with this. May I ask why do you want to create the certificate itself with iOS? – lawicko Mar 14 '12 at 11:29
  • I need a certificate for each user. Do you reckon it would be easier to look at using OpenSSL within the app ? – Jamil Mar 14 '12 at 11:44
  • 1
    No, to be honest I think you are misusing ssl. The ssl certificates are used to represent web servers, not users. Unless you really know what you are doing, I think you should take a look [here](http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html). – lawicko Mar 14 '12 at 13:42
  • It's not an entirely invalid use case. He could be generating client-side certificates to identify users. Certificates are not strictly relegated to servers. However, doing it this way does go against the primary benefit of certificates for users: Being issued by a trusted authority. If you're generating them on the device for each user and self-signing them, you have no proof that the certificate was issued by a trusted authority. – Shadowman Mar 15 '12 at 15:34
-1

Look at SecKeyGeneratePair I think this is what you are looking for.

adrian.coroian
  • 582
  • 4
  • 13