1 Reply
      Latest reply on Jul 14, 2016 9:05 AM by perlguy
      perlguy Level 1 Level 1 (0 points)

        I work for the DoD, and they like to have control over everything, including Root Certificate Authorities...

         

        (Note, I have removed my actual server name and I am using myserver.foo.bar in my examples)

         

        They recently updated the certificate on an API server that I use, and now I am unable to connect.

         

        I have the root certificate (DODIDSWCA_37.cer)

         

        I tested the cert using nscurl --ats-diagnostics --verbose https://myserver.foo.bar on my Mac.

         

        Prior to adding the DODIDSWCA_37.cer to my keychain, most/all of the ats-diagnostic tests failed.

         

        Once I added the DODIDSWCA_37.cer to my keychain, ALL of the ats-diagnostic tests passed.

         

         

        I added the DODIDSWCA_37.cer to my iPad (via linking to the cert from a web page)

         

        However, now I cannot connect to the API, I am getting a failure message saying:

         

        "The certificate for this server is invalid. You might be connecting to a server that is pretending to be "myserver.foo.bar" which could put your confidential information at risk."

         

        This is even with "Allow Arbitrary Loads" set to YES.

         

         

         

        Also, if I now try to install an enterprise app, I get the following error in the device logs:

         

        Jul 14 08:29:43 NJVC1742-932 itunesstored[103] <Warning>: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
        
        
        
        
        Jul 14 08:29:43 NJVC1742-932 itunesstored[103] <Warning>: Could not load download manifest with underlying error: Error Domain=NSURLErrorDomain Code=-1202 "Cannot connect to the Store" UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x1356db970>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSUnderlyingError=0x137210eb0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “myserver.foo.bar” which could put your confidential information at risk." UserInfo={NSErrorFailingURLStringKey=https://myserver.foo.bar/getplist/token/9hCHRCUw7fDEGrrjQ/appId/9a94a795-0274c422ef4d/getplist.plist, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, kCFStreamPropertySSLPeerCertificates=<CFArray 0x1356d8260 [0x1a0de7150]>{type = immutable, count = 3, values = (
          0 : <cert(0x13736b860) s: SERVERWEB01.myserver.foo.bar i: DOD ID SW CA-37>
          1 : <cert(0x1371886a0) s: DOD ID SW CA-37 i: DoD Root CA 3>
          2 : <cert(0x13732af40) s: DoD Root CA 3 i: DoD Root CA 3>
          )}, _kCFStreamPropertySSLClientCertificateState=1, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x1356db970>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “myserver.foo.bar” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://myserver.foo.bar/getplist/token/9hCHRCUw7fDEGrrjQ/appId/9a94a795-0274c422ef4d/getplist.plist, _kCFStreamErrorCodeKey=-9813}}, NSErrorPeerCertificateChainKey=<CFArray 0x1356d8260 [0x1a0de7150]>{type = immutable, count = 3, values = (
          0 : <cert(0x13736b860) s: SERVERWEB01.myserver.foo.bar i: DOD ID SW CA-37>
          1 : <cert(0x1371886a0) s: DOD ID SW CA-37 i: DoD Root CA 3>
          2 : <cert(0x13732af40) s: DoD Root CA 3 i: DoD Root CA 3>
          )}, _kCFStreamErrorCodeKey=-9813, NSLocalizedDescription=Cannot connect to the Store, NSLocalizedFailureReason=A secure connection could not be established.  Please check your Date & Time settings., NSErrorFailingURLKey=https://myserver.foo.bar/api/2.7/getplist/token/9hCHRCUw7fDEGrrjQ/appId/9a94a795-0274c422ef4d/getplist.plist, NSErrorFailingURLStringKey=https://myserver.foo.bar/api/2.7/getplist/token/9hCHRCUw7fDEGrrjQ/appId/9a94a795-0274c422ef4d/getplist.plist, NSErrorClientCertificateStateKey=1}
        

         

         

         

        So, now I find myself with 2 problems that I need solutions to...

         

        1. What can I do so that I am able to install my enterprise apps again?

         

        2. How can I tell my app to trust the DODIDSWCA_37.cer so that I can hit my API again?

         

         

        I appreciate any help that is offered, I am going to keep researching this while I wait for answers here.

         

        Thanks!