Hello,
I am trying to use mTLS- authentication from within my app for communication with a server.
The idea is that the client certificate is installed on the device from outside of the app, e.g. by MDM or AppleConfigurator.
And the app needs to get and use that certificate to authenticate itself to the server on establishing https(TLS)- connection.
How can this be achieved?
Thanks
Ante
To start, I’m interpreting mTLS as mutual TLS.
The idea is that the client certificate is installed on the device from outside of the app, e.g. by MDM or AppleConfigurator.
This is the sticking point. Credentials installed in this way are placed in an Apple-only keychain access group and thus are unavailable to your app. QA1745 Making Certificates and Keys Available To Your App has more details on this.
You will need to find an alternative way to provision your app with your credentials. There’s a bunch of ways you can do this but in managed environments the best option IMO is to use Kerberos SSO. You have two ways to approach that:
You can configure your origin server to support Kerberos SSO and then you’re done.
If that’s not feasible — for example, because your origin server software doesn’t support Kerberos SSO — you can configure a second server that supports Kerberos SSO and, once authenticated, hands out the digital identity required to access the origin server. Your app can then first talk to that server to get the digital identity, and then use that to talk to the origin server.
ps Please do take the time to file an request for a better solution to this problem. This issue is a significant pain point for developers targeting a managed environment and, speaking personally, I’d love to see it get addressed. Your bug report will allow you to express your needs in your own terms, and allow iOS engineering to understand the level of demand here.
Please post your bug number, just for the record.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Has there been any progress made on this issue so far. I cant believe that Apple who believes so much in tight security, doesnt allow the apps to use client certs for services secured with mTLS.
We have similar issue where we would like to develop and deploy the native app on ios device in an enterprise environment and use mTLS for the backend services. Would we be able to use/load the client certs issued by Mobile Iron MDM while interacting with secure APIs.