Thank you for your response! I would like to inquire further about what you meant by ATS being disabled when we use a custom CA. When we use our server certificate signed by our custom CA, TLS is definitely in use (invalidly signed or configured server certificates cause TLS errors, while valid certificates work fine). Besides TLS, what other security features are provided by ATS that we would have to forgo if we use a custom CA for our server certificate?

We have NSAppTransportSecurity, since we have NSPinnedDomains and NSPinnedCAIdentities for our server domain and our custom CA certificate. Regardless, is your recommended solution to this to have the server bear a certificate signed by a trusted CA like Digicert, and then we can have our own custom PKI for our client auth scheme, since we want to at least control the client CA.

Yes, that is correct

Sorry, I'm a little confused. We have been using our custom CA for a while and in our plist file, in NSAppTransportSecurity, we do not have an exceptions enabled and have NSAllowsArbitraryLoads as false. Is that not enough to have ATS considered enabled? Because SSL verification is definitely happening: when an incorrectly configured server certificate is presented, we have SSL verification errors. We're only encountering issues now when we want certificate revocation.

We want to use a custom PKI for both client/server authentication in a sensitive application where we want to control the processes (we don't want an externally hosted CA). We are developing in-house all the parts of the PKI, including an OCSP responder, and we have gotten our custom certificates to work on our iOS app. The only part we don't have is getting the iOS app to check for certificate revocation.

Yes that is all correct.

..