Install and trust CA in Mac App Store app?

I'm developing a macOS VPN application using the Network Extension API. That API requires its users to distribute their apps through the store. However, we would like to use certificate based client authentication. The trouble is, a standard root CA that a mac trusts out of the box can't be used to sign client certificates without exorbitant costs AFAIK.


One way to handle this is to install and trust our custom CA on our users' machines. Heck, if the app were sideloaded it could be packaged into an installer with the cert and a script to install and trust it but, again, that can't be done when using the Network Extension API (installer packages are not compatible with the store and we also can't run sudo commands from the app itself). We could ask users to run an installer separately but I'm fairly certain that doesn't mesh well with Apple's expectations for user experience (nor ours!)


Are these two needs mutually exclusive? How would Apple prefer we utilize the Network Extension API along with client certificates?


Cheers!

Accepted Reply

Regarding client authentication, I mean the server is verifying that the user is who they say they are.

Ah, then my earlier response, based on the assumption that you’re asking at “client authenticates server authentication”, is completely off base. Sorry about the mixup.

On the “server authenticates client” side of things, it’s important to realise that the client does not do trust evaluation on the certificate that forms the client digital identity. Rather, the client just passes that certificate to the server, and it’s the server that does this trust evaluation.

Given that, it’s fine to issue your client certificate from a custom CA. It doesn’t matter that macOS won’t trust that certificate, because macOS never does a trust evaluation on it.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

However, we would like to use certificate based client authentication.

I presume you’re talking about ‘client authenticates server’ authentication. Most folks using client authentication to mean ‘server authentication client authentication’, which is a whole different kettle of fish.

The trouble is, a standard root CA that a mac trusts out of the box can't be used to sign client certificates without exorbitant costs AFAIK.

Are those costs different for VPN servers than HTTPS servers? Because, based on what I’ve heard from other developers, the costs for HTTPS servers has dropped to zero.

As to using your own CA’s root certificate, I can confirm that there’s no way to override VPN server trust evaluation when setting up VPN via the Network Extension API (r. 18455897). The server’s certificate must be issued by a CA whose root is trusted by the system.

Furthermore, it’s not possible to install such a root without escalating privileges, which is specifically prohibited by the App Store Review Guidelines.

You could ask the user to do that. I don’t work for App Review, so I can’t predict how they’ll respond. My personal response would definitely be “No way!” (-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for the detailed response, eskimo.


Regarding client authentication, I mean the server is verifying that the user is who they say they are. e.g.


let config = NEVPNProtocolIKEv2()
config.authenticationMethod = .certificate
config.certificateType = .RSA
config.identityReference = <...>


Where <...> refers, in part, to the client certificate we generated for that client. We have this working just fine but our current methodology, as you've confirmed, is probably not compatible with an app store release.


Looking into the letsencrypt service, thank you. If that is both (1) able to generate/revoke client certificates on the fly and (2) trusted by Apple systems by default then that solves our problem. I'll verify this but, based on your understanding given my clarification, does letsencrypt still appear to be a valid solution?


edit: It doesn't appear to do anything more than signing server certs which we can already handle; the exorbitant costs I referred to earlier were basically the costs of becoming your own CA or managing certs through another CA's enterprise system so we can generate client certs but remain trusted by default on a wide range of devices. It doesn't appear there is a way to use the .certificate authentication method in the app store for vpn connections. I feel like I'm missing something...

Regarding client authentication, I mean the server is verifying that the user is who they say they are.

Ah, then my earlier response, based on the assumption that you’re asking at “client authenticates server authentication”, is completely off base. Sorry about the mixup.

On the “server authenticates client” side of things, it’s important to realise that the client does not do trust evaluation on the certificate that forms the client digital identity. Rather, the client just passes that certificate to the server, and it’s the server that does this trust evaluation.

Given that, it’s fine to issue your client certificate from a custom CA. It doesn’t matter that macOS won’t trust that certificate, because macOS never does a trust evaluation on it.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"