NSURLSession - HTTPS

How do I accept a CA ROOT signed certificate during a HTTPS connection (not self signed, I mean trusted certificate authority stored by Apple on the device) ?

By default two things happen:

• NSURLSession implements standard (RFC 2818 style) server trust evaluation.

• App Transport Security (ATS) does its own enhanced security checks (see the doc links in my App Transport Security pinned post)

Both trust the root certificates baked into the system (see List of available trusted root certificates in iOS 10) and any installed by the user (typically via a configuration profile).

How do I accept a CA ROOT signed certificate during a HTTPS connection (not self signed, I mean trusted certificate authority stored by Apple on the device) ?

I’m not sure I understand your question here, but I think that you’re asking how you can get NSURLSession to trust your own custom CA. There’s two approaches you can use:

• If you’re deploying to an enterprise environment, you should install your enterprise’s CA on the device. Both NSURLSession and ATS will automatically pick it up and trust any certificates it has issued.

  Note This approach alse makes sense if you plan to use a CA-issued certificate in product but you want to test with a custom CA for testing.

• If you’re deploying to normal users via the App Store, you have to:

  1. Disable ATS for your server

  2. Override NSURLSession’s server trust evaluation, as described in Technote 2232 HTTPS Server Trust Evaluation

  I generally recommend you avoid this because step 1 will complicate your App Review (again, see the links in my ATS pinned post).

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"