Our VPN server (strongSwan) authenticates by SSL certificate with our client. Server SSL certificate is issued by a CA that is not trusted by iOS and has the following chain of trust:
AddTrust External CA Root => COMODO RSA Certification Authority => COMODO RSA Domain Validation Secure Server CA => <our_server_SSL_cert>
COMODO RSA Domain Validation Secure Server CA is NOT trusted, and thus chain of trust cannot be established.
In this thread I mentioned that I had been able to overcome this by installing Root CA via .mobileconfig (payload type com.apple.security.root). There are other topics touching the same thing, e.g.:
* in cannot establish Ikev2 connection programmatically thread @eskimo mentioned
> iOS has no API to install a trusted root certificate globally
and
> If you want to continue down the NEVPNManager path you will have to get a trusted CA to issue you a certificate for your VPN server.
* In other thread How do I prompt a user to trust a root CA certificate programatically on iOS? there is one more confirmation that installing Root CA programmatically is not possible.
By this thread, I'd like to confirm two things:
- There is NO cahnce iOS can establish a chain of trust, when Root CA is issued by other trusted Root CA?
- There is NO other way to install Root CA, except .mobileconfig or providing a URL to download .cer file and install it by user actions?
Thank you.