Self-Signed SSL Certificate Trust from iOS App

Question

I am building an App which retrieves some data from a server. The server can be installed elsewhere (I have also built the server) and after setting the correct host in the App you are good to go.

Now my problem. I am trying to make things as secure as possible, and one of those aspects is using SSL. I am using self-signed certificates on the server side, but I can't get it accepted by my iOS app. At first I got the warning that the certificate is not trustworthy even from the PC that is running the server, but after I found this answer [1], I got the "https" being accepted from my browser (and fiddler), it also turns green when calling the server url, so everything is now working fine, but just from the PC where the server is running.

When I try to call the url from an external device, I again get the message that the certificate is not trustworthy (which I understand because I signed the certificate myself, but here I am looking for some way to baypass that), and from inside my app I cannot establish a connection.

So, can I set my self-signed certificate as "trustworthy" for external devices? (Expecting every customer to buy their own certificate is not an option.)

Or, is there an Apple-approved way to accept this certificate from inside my iOS App? I know I can get it accepted by changing something in the private API of NSURLRequest (if somebody is interested I can explain that), but I have been reading that in this case it is likely that my app is going to be rejected. So here I am looking for some "legal" way of accepting my self-signed certificate.

[1] How to create a self-signed certificate for a domain name for development?

Answer 1

1. edit ssl.conf and comment #SSLProxyVerify 3 lines
2. restart httpd_device

This will disable the ssl cert check so you can use your self signed cert for testing

Answer 2

I solved this problem recently working on my iOS Web Bluetooth app WebBLE.

Before that though it's worth saying in answer to the OP:

can I set my self-signed certificate as "trustworthy" for external devices?

no, because if the server could somehow tell a client to trust its self-signed certificates that would defeat the entire point of signing certificates! So your client needs to support them and you will need to work out how to configure them for each client.

The steps that I took (lifted from my FAQ for WebBLE ) to install and use a self-signed certificate in any webkit-using app on iOS (such as WebBLE and Safari) are as follows:

1. Create your self-signed certificate and key files using openssl or however. Be sure it has the correct /CN “Common Name” for your local server, eg mycomputer.local .
2. Configure your webserver to use it (obviously) and check that it is working using a different client, such as a browser on a Mac.
3. Email your certificate to an email address you can access on your iOS device.
4. Tap on the attachment in Mail on your iOS device, this should now prompt you to install it. Do so.
5. You should now verify that it is installed by going to the Settings app then General -> Profile -> <Common Name> . The Profile menu probably won't be there at all until you've installed the first certificate. The certificate should be marked Verified (it was verified by you when you installed it).
6. You might, like I did, have thought this would be enough. It isn't. You now, really counter-intuitively, need to go to the setting General -> About -> Certificate Trust Settings and enable full trust for your certificate there as well. It's such a weird place for that setting to be.

Hat-tip to blog.httpwatch.com for getting me most of the way there. They just didn't have step 6 for some reason.

Edit

Re-reading the question, I realize the OP also wants a way to distribute their app such that it can use the self-signed certificate for all clients. This is not a good idea for various reasons, not least that:

• you would have to worry about expiry dates and set dangerously long ones or update the certificate regularly
• if someone stole your private key you can't revoke the certificate that is now installed on all your customers' devices.

In production you should get a certificate signed by a reputable third party agent so that iOS will accept it by default. Then you can renew it periodically and also revoke it if it gets stolen. It's free to get basic certificates for a domain using a service like letsencrypt.org , so that's what you should do.

For development it's still useful to use self-signed certificates, and my answer helps with that.