cancel
Showing results for 
Search instead for 
Did you mean: 

Using Certificates for iOS Device Authentication

Highlighted
Occasional Contributor

Using Certificates for iOS Device Authentication

Here is the basic idea :

We want to put a entreprise generated cert on idevices, using the apple iPCU utility.

( iOS version 5 is used with the SA at version 7.1R5)

Here is some info from Apple regarding the iPCU utility :

Certificate Installation

On first launch iPCU creates a self-signed certificate in the Mac OS X keychain or

Windows certificate store (run certmgr.msc and navigate to "ipcu" to view it). This

certificate is then silently installed onto any iDevice that is connected to iPCU, and

cannot be removed. Configuration profiles that are subsequently installed are signed

with this certificate, which allows iDevices to validate profile authenticity.

When you install a configuration profile directly on a device using USB, the

configuration profile is automatically signed and encrypted before being transferred to

the device. iPhone Configuration Utility automatically installs a certificate on the

device for this purpose; you can see the certificate in the Summary pane. The message

This certificate was signed by an untrusted issuerÓ is normal and expected, because

itÕs self-signed. Any updates to this profile must be signed by the same copy of iPhone

Configuration Utility. For this reason, you should use one copy of the utility to

install and export configuration profiles.Ó

We see ( screenshot attached ) that it is complaining that the cert number a81097 bla bla bla is not trusted by the SA.

The problem is how to get this iPCU certificate in the SA boxÉ.

The local cert store of the machine where the iPCU utility is installed, got the ipcu cert in it.

When i try to export it and install it on the SA, it give me " basic constrain failure, missing root or parent CA " which i supposed mean that it does not have the CA of that cert.

I did open a ticket with support, got to level 2, and they never saw that.

Just another point. I don't really care about the iPCU utility. The thing is if i try to install the cert by sending it via email and opening it on the idevice, it's not showing in the junos pulse cert. Is this normal ?

I've stumble on this,: http://stackoverflow.com/questions/7648487/how-to-list-certificates-from-the-iphone-keychain-inside-..., but i'm not sure what it means.

I'm quite sure somebody made this work...

Thanks a lot for the help.

__

5 REPLIES 5
Highlighted
Regular Contributor

Re: Using Certificates for iOS Device Authentication

How are you generating the certificate?

Is it self signed certificate or do you have private ca in your network?

If it is self signed certificate you can import that to the SA but if this is a private ca you have to install the private CA certificate in to the SA and iphone

Highlighted
Occasional Contributor

Re: Using Certificates for iOS Device Authentication

The following KB, even though it is for activesync setup, should expain and help you with certificates and how to install on iPhone using IPCU.

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB19325

Regards

Tony

Highlighted
Valued Contributor

Re: Using Certificates for iOS Device Authentication

I've ran a few tests and the iPCU should not be the cause of the issue. I've found that the iPCU CA is considered the signer when the iPCU utility signs the mobile configuration file. If you do not sign the mobile configuration file, then the iPCU CA will not appear when you import the configuration. This means when the iOS device states iPCU as a signer, this is only referring to the profile, not the certificate.

I've tested both scenarios (signed and did not sign the mobile configuration file) and this did not change the behavior of client authentication with Junos Pulse. I was able to use the certificate in both scenarios. This should confirm the iPCU CA is not the root cause of the issue. Also, I found it interesting that importing the client certificate worked and did not require to import the root ca to trust the client certificate.

I was able to duplicate this issue when I selected the default client/device certificate within the iOS devices which appears as a hash in the Junos Pulse client. In this case, this certificate is signed by the iPCU CA and the reason why the message states it cannot trust this certificate. If there is only one certificate which appears as a hash in Junos Pulse, this means Junos Pulse does not detect the imported certificate as a valid client authentication certificate. This usually points to an issue with how the certificate was issued and missing the "Client Authentication" key usage on the certificate.

Highlighted
Occasional Contributor

Re: Using Certificates for iOS Device Authentication

Exact. The client send me back a correctly generated cert and that did the trick. I must say that I had never heard of ipcu and the like before. That have been a nice learning experience. Thanks all for your input.

Highlighted
Valued Contributor

Re: Using Certificates for iOS Device Authentication

I'm glad the issue was resolved.