install a root CA on to iOS?

[Original Poster]

Did not know where to post this as it hits alot of topics on this forum, so I thought I would put it here in hopes to hit a few corp network engineers...

 

I want to install a root CA (.der or p12) onto an uncertain number of iOS devices (iphones, ipads etc) but I want people to have the choice so they go onto the intranet and click download and then for them to install it... is this possible? can it be automated so they just click yes and boom done? or do I have to faff around?

[tiagosilva29]

I think that you have to physically deploy the certificate on each device with the iPhone Configuration Utility.

[+BudMan MVC]

While yes you can install it that way.. You can also just install it via a email or where the device can download the file.

So here just installed my pfsense root CA.. I emailed it to account my phone has access too

I then clicked on it

Agree to the blurb that its not trusted, etc..

You will then have to put in your passcode/pin of your phone/tablet

And then there you go all trusted

I can show you an example of serving up the file off a http server or using say dropbox, etc. But email is maybe the best way for this rollout - just email the people your going to want to trust your cert, they can install it or not -- would be up to them, etc.

[Sikh]

What budman says works. You can also get a enterprise deploy cert from apple and allow the iOS devices to download ipa's, certs, etc from the web via safari.

[Original Poster]

While yes you can install it that way.. You can also just install it via a email or where the device can download the file.

So here just installed my pfsense root CA.. I emailed it to account my phone has access too

 

 

decided to go with the webway... its annoying cause i have to build some sort of profile -__- which means I cannot do a general here you go everyone here is the CA...no i have to build it differently for apple....i hate apple...(except my mac book pro, I love you maccy)

[Sikh]

decided to go with the webway... its annoying cause i have to build some sort of profile -__- which means I cannot do a general here you go everyone here is the CA...no i have to build it differently for apple....i hate apple...(except my mac book pro, I love you maccy)

 

If you hate apple for profiles you might as well hate windows for policies via GPE......

[+BudMan MVC]

decided to go with the webway... its annoying cause i have to build some sort of profile

What do you have to build.. Its as simple as putting your crt file up on a webserver.

http://something.something.tld/yourcert.crt

I just did this with my pfsense ca crt.. on my phone I fired up browser (safari is on all ios/apple devices - chrome and didn't launch the install profile setting, etc.) and put in direct link to file - bing bang zoom its asking me to install. I don't see how this is annoying? If it takes you more than 2 minutes to put your file up on a server your users have access too your in the wrong field of work ;)

The hardest part of this process would be getting users to understand how to click the install button and then remember their own pin ;)

[tiagosilva29]

Wait a minute.

Are you telling me that you can just send a (link to a) root certificate to an zip-pop-diddly enterprise iPhone with maffah-clappah enterprise security settings and he'll just let you install it? Is there some profile work done a priori?

[Original Poster]

What do you have to build.. Its as simple as putting your crt file up on a webserver.

http://something.something.tld/yourcert.crt

I just did this with my pfsense ca crt.. on my phone I fired up browser (safari is on all ios/apple devices - chrome and didn't launch the install profile setting, etc.) and put in direct link to file - bing bang zoom its asking me to install. I don't see how this is annoying? If it takes you more than 2 minutes to put your file up on a server your users have access too your in the wrong field of work ;)

The hardest part of this process would be getting users to understand how to click the install button and then remember their own pin ;)

apparently i have to build a profile  .mobileconfig? which is just different lol putting it on the web no probs takes two seconds, just got to make an apple specific download. (its not just apple devices im sorting) I am just doing what documentation tells me... i have .DER .P12 blah blah blah *click boom* ... I am also building a script to see if they have it installed so i know if i have to link them again before giving them access :P i like scripting

[+BudMan MVC]

Wait a minute.

Are you telling me that you can just send a (link to a) root certificate to an zip-pop-diddly enterprise iPhone with maffah-clappah enterprise security settings and he'll just let you install it? Is there some profile work done a priori?

 

So my phone is company phone - locked down all kinds of ways here to sunday.  And yeah - I can either click on the cert in an email message or called up the link in safari and install that way.  I don't know what he is going on about having to create profiles to install a cert for.  Sure there are other profiles you would want to set on an enterprise phone.  But it is really simple to have it trust a CA.

 

Not sure about this apple specific download or mobileconfig he is talking about.  I took my crt posted to my web server on the public net.. Pointed my company phone to it and there you go it trusts my CA now, etc.

[Original Poster]

So my phone is company phone - locked down all kinds of ways here to sunday.  And yeah - I can either click on the cert in an email message or called up the link in safari and install that way.  I don't know what he is going on about having to create profiles to install a cert for.  Sure there are other profiles you would want to set on an enterprise phone.  But it is really simple to have it trust a CA.

 

Not sure about this apple specific download or mobileconfig he is talking about.  I took my crt posted to my web server on the public net.. Pointed my company phone to it and there you go it trusts my CA now, etc.

btw -__- I once again ignored the iOS developer and just did a web link to a .der ... worked fine (time wasted doing the method he said I had to do), though apparently trying to not put a password on a .p12 breaks it on apple devices :P 

[+BudMan MVC]

Why would you need to put a password on it - your not trying to install the private key for the CA are you? There is no reason for a password CA cert so clients trust stuff being signed/issues - now sure if you were going to include the private key in the p12 - then hell yeah password the ###### out of it!! ;)

p12 are normally used to bundle multiple certs together, the whole chain or with the private key. Not sure why you would use that format to hand users the CA cert?

[Anibal P]

Wish I could contact the network guys at work, they have it set the once connected to the corporate wifi it prompts all iOS devices to install the cert, they click yes and are done, and we have some fancy things going on with our WiFi, PHI/PII related 

[+BudMan MVC]

^That is nothing special - that is your typical captive portal without a signed cert ;)

 

User should not have to install anything - the cert used for a https portal should be signed by trusted source.

 

What the OP is also doing via PM and his other threads is SSL snooping of his users, which I personally think is a really really slippery slope.  But as long as users know and agree that they are connecting to a MITM sort of setup where they are replacing the ssl cert of the site you actually go to with a cert signed by the company CA that you trust and that all your traffic is now in the clear to the company.. They can view your passwords you sent to neowin, your bank, etc. 

 

He wants to install the CA cert on the device so any and all ssl certs created are trusted without warning - so when you go to your bank and think your secure to the bank site its not really true -- your trusting the proxy ssl cert which private key is known and all traffic ssl'd to the proxy can be viewed in the clear on proxy..  And then from the proxy to the ssl site you want to go to the sites ssl cert is used.