I'm developing a macOS VPN application using the Network Extension API. That API requires its users to distribute their apps through the store. However, we would like to use certificate based client authentication. The trouble is, a standard root CA that a mac trusts out of the box can't be used to sign client certificates without exorbitant costs AFAIK.
One way to handle this is to install and trust our custom CA on our users' machines. Heck, if the app were sideloaded it could be packaged into an installer with the cert and a script to install and trust it but, again, that can't be done when using the Network Extension API (installer packages are not compatible with the store and we also can't run sudo commands from the app itself). We could ask users to run an installer separately but I'm fairly certain that doesn't mesh well with Apple's expectations for user experience (nor ours!)
Are these two needs mutually exclusive? How would Apple prefer we utilize the Network Extension API along with client certificates?
Cheers!