Is it required by Apple to implement SSL-pinning with self-signed certificates only in DER format?

App & System Services Networking
orahouski OP
Created May ’20
Replies 1
Boosts 0
Views 1.7k
Participants 2

I want to implement SSL-pinning in my application: iOS device communicates with external device via websockets. I generated SSL self-signed certificate in PEM format (with all new requirements from here https://support.apple.com/en-us/HT210176). One copy of certificate was uploaded to extenal device firmware, and another copy was placed in app bundle. I have some troubles establishing secure communication via TLS, and my concerns are that certificate should be in DER format.

Could someone please confirm that, because it's not clear from Apple's documentation.

Replies  1
Boosts  0
Views  1.7k
Participants  2
Systems Engineer OP
Apple
May ’20

A certificate is composed of ASN.1 data and when it contains a DER extension that ASN.1 certificate is encoded in a binary format. The Security APIs for loading a certificate on Apple platforms work with the DER encoded X.509 certificates, so it is easier to start with a DER when performing certificate pinning or loading a certificate from disk. Having said that, if you need to convert from from a PEM to a DER, there is not APIs to directly do this, but a PEM can often be expressed as a Base64 encoded DER certificate. So you could take a look at the decoding and encoding APIs from Data if your needed to decode a PEM file to get the DER encoded representation.



Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

0
Is it required by Apple to implement SSL-pinning with self-signed certificates only in DER format?
First post date Last post date
 
 
Q