Authentication with Certificates

I've implemented a custom VPN for iOS using a Packet Tunnel Provider. I have the entitlement for 'com.apple.managed.vpn.shared'. One option to connect is to use a certificate - this can be done by distributing a VPN payload with the required certificate for the connection.

My question is if there's any way to distribute multiple certificates and that I'll be able to read them on my iOS app. For example, on the Certificates payload, I can add multiple certificates, but on the VPN payload, I can choose only one of them. So, can my app read more than one certificate?

Up vote post of roee84 Down vote post of roee84
230 views
Posted by
roee84
Reply
Add a Comment

Accepted Reply

any way to distribute multiple [digital identities] and that I'll be able to read them on my iOS app.

No. When the system ingests a profile, only the digital identity referenced by the VPN configuration payload is stored to com.apple.managed.vpn.shared. All the other go into the standard Apple keychain access group, which you can’t access.

If you push multiple VPN configuration payloads then all of their associated digital identities end up in com.apple.managed.vpn.shared. I can’t see anything that’d prevent you from querying the keychain for them all and then choosing between them.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

any way to distribute multiple [digital identities] and that I'll be able to read them on my iOS app.

No. When the system ingests a profile, only the digital identity referenced by the VPN configuration payload is stored to com.apple.managed.vpn.shared. All the other go into the standard Apple keychain access group, which you can’t access.

If you push multiple VPN configuration payloads then all of their associated digital identities end up in com.apple.managed.vpn.shared. I can’t see anything that’d prevent you from querying the keychain for them all and then choosing between them.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

If you push multiple VPN configuration payloads then all of their associated digital identities end up in com.apple.managed.vpn.shared. I can’t see anything that’d prevent you from querying the keychain for them all and then choosing between them.

This is exactly what I've ended up with, just wanted to check if there's an option to do it all in a single payload. Thanks!

Posted by
roee84
Up vote reply of roee84 Down vote reply of roee84
Add a Comment