I work for the DoD, and they like to have control over everything, including Root Certificate Authorities...
(Note, I have removed my actual server name and I am using myserver.foo.bar in my examples)
They recently updated the certificate on an API server that I use, and now I am unable to connect.
I have the root certificate (DODIDSWCA_37.cer)
I tested the cert using nscurl --ats-diagnostics --verbose https://myserver.foo.bar on my Mac.
Prior to adding the DODIDSWCA_37.cer to my keychain, most/all of the ats-diagnostic tests failed.
Once I added the DODIDSWCA_37.cer to my keychain, ALL of the ats-diagnostic tests passed.
I added the DODIDSWCA_37.cer to my iPad (via linking to the cert from a web page)
However, now I cannot connect to the API, I am getting a failure message saying:
"The certificate for this server is invalid. You might be connecting to a server that is pretending to be "myserver.foo.bar" which could put your confidential information at risk."
This is even with "Allow Arbitrary Loads" set to YES.
Also, if I now try to install an enterprise app, I get the following error in the device logs:
Jul 14 08:29:43 NJVC1742-932 itunesstored[103] <Warning>: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
Jul 14 08:29:43 NJVC1742-932 itunesstored[103] <Warning>: Could not load download manifest with underlying error: Error Domain=NSURLErrorDomain Code=-1202 "Cannot connect to the Store" UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x1356db970>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x137210eb0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “myserver.foo.bar” which could put your confidential information at risk." UserInfo={NSErrorFailingURLStringKey=https://myserver.foo.bar/getplist/token/9hCHRCUw7fDEGrrjQ/appId/9a94a795-0274c422ef4d/getplist.plist, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, kCFStreamPropertySSLPeerCertificates=<CFArray 0x1356d8260 [0x1a0de7150]>{type = immutable, count = 3, values = (
0 : <cert(0x13736b860) s: SERVERWEB01.myserver.foo.bar i: DOD ID SW CA-37>
1 : <cert(0x1371886a0) s: DOD ID SW CA-37 i: DoD Root CA 3>
2 : <cert(0x13732af40) s: DoD Root CA 3 i: DoD Root CA 3>
)}, _kCFStreamPropertySSLClientCertificateState=1, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x1356db970>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “myserver.foo.bar” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://myserver.foo.bar/getplist/token/9hCHRCUw7fDEGrrjQ/appId/9a94a795-0274c422ef4d/getplist.plist, _kCFStreamErrorCodeKey=-9813}}, NSErrorPeerCertificateChainKey=<CFArray 0x1356d8260 [0x1a0de7150]>{type = immutable, count = 3, values = (
0 : <cert(0x13736b860) s: SERVERWEB01.myserver.foo.bar i: DOD ID SW CA-37>
1 : <cert(0x1371886a0) s: DOD ID SW CA-37 i: DoD Root CA 3>
2 : <cert(0x13732af40) s: DoD Root CA 3 i: DoD Root CA 3>
)}, _kCFStreamErrorCodeKey=-9813, NSLocalizedDescription=Cannot connect to the Store, NSLocalizedFailureReason=A secure connection could not be established. Please check your Date & Time settings., NSErrorFailingURLKey=https://myserver.foo.bar/api/2.7/getplist/token/9hCHRCUw7fDEGrrjQ/appId/9a94a795-0274c422ef4d/getplist.plist, NSErrorFailingURLStringKey=https://myserver.foo.bar/api/2.7/getplist/token/9hCHRCUw7fDEGrrjQ/appId/9a94a795-0274c422ef4d/getplist.plist, NSErrorClientCertificateStateKey=1}
So, now I find myself with 2 problems that I need solutions to...
1. What can I do so that I am able to install my enterprise apps again?
2. How can I tell my app to trust the DODIDSWCA_37.cer so that I can hit my API again?
I appreciate any help that is offered, I am going to keep researching this while I wait for answers here.
Thanks!