How to install VPN root certificate in iOS Profile & Device Management and Trust Store Programmatically?

App & System Services Core OS
prashant_ios_nerd OP
Created Jun ’20
Replies 3
Boosts 0
Views 1.3k
Participants 2
I am using NEVPNManager & IKEV2 certificate as my authentication method for connecting to the VPN. I am able to connect to the VPN. Below mentioned is my sample block of code.
Code Block 
guard let path = Bundle.main.path(forResource: VPNConstants.certificateName, ofType: ".p12")	else {
				fatalError("Unable to find Certificate")
		}
		do {
				let data = try Data(contentsOf: URL(fileURLWithPath: path), options: .mappedIfSafe)
				ikev2.identityData = data
		}
		catch {
				fatalError("Unable to find Certificate")
		}
		ikev2.identityDataPassword = VPNConstants.password

I tried to install the root certificate using SecCertificateCreateWithData and SecItemAdd methods part of the Security framework, I don't get any errors installing the certificate, but it doesn't appear in my iOS Profile & Device Management and TrustStore. Below is the block of code I am using for the same.

Code Block 
fileprivate func installCertificate() {
				guard let path = Bundle.main.path(forResource: "rootcertificate", ofType: "der") else {
						return
				}
		
				do {
						let data = try Data(contentsOf: URL(fileURLWithPath: path), options: .mappedIfSafe)
						var status: OSStatus = noErr
						guard let rootCert = SecCertificateCreateWithData(nil, data as CFData) else {
								return
						}
						
						let addquery: [String: Any] = [kSecClass as String: kSecClassCertificate,
																					 kSecValueRef as String: rootCert,
																					 kSecAttrLabel as String: "My Certificate"]
						status = SecItemAdd(addquery as CFDictionary, nil)
						if status == noErr {
								print("Install root certificate success")
						}
						else if	status == errSecDuplicateItem {
								print("duplicate root certificate entry")
						}
						else {
								print("install root certificate failure")
						}
		
						let policy = SecPolicyCreateBasicX509()
						var optionalTrust: SecTrust?
						let certArray = [rootCert]
						status = SecTrustCreateWithCertificates(certArray as AnyObject,
																										policy,
																										&optionalTrust)
						guard status == errSecSuccess else {
								return
						}
						let trust = optionalTrust!
						var trustResult = SecTrustResultType.invalid
						status = SecTrustEvaluate(trust, &trustResult)
						print(trust)
						if status == noErr {
								print("Trust root certificate success")
						}
						else if	status == errSecDuplicateItem {
								print("Trust Fail")
						}
						else {
								print("Trust Fail")
						}
				}
		
				catch {
						print("Trust root certificate failure")
				}
		
		}

Currently, I am installing the root certificate via Safari or Mail. Also, my root certificate is self-signed. I am aware that Certificate trust will be enabled only if signed by a Trusted CA, but how can I add it to iOS Profile & Device Management at least.

Any help is appreciated, Thanks in advance!!!
Answered by Systems Engineer in 617940022
For iOS, using Personal VPN (NEVPNManager), my recommendation would be to use a root certificate that is already included in the device Trust Store.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Replies  3
Boosts  0
Views  1.3k
Participants  2
Systems Engineer OP
Apple
Jun ’20
For my understanding, you are able to install the root certificate with SecItemAdd successfully, but when attempting to use the root with your identity, it is not recognized. Is that correct?

Also, if your devices are managed, have you seen the CertificateRoot profile payload?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
prashant_ios_nerd OP
Jun ’20
I am trying to connect to VPN using identityData and identityDataPassword (located in my app bundle) which does connect my VPN. But it doesn't allow me to surf the internet because the Certificate (PEM/DER) is not added to Profile & Trust Store and it gives me SSL Error on browser. So I tried to include DER file in my app bundle and used SecItemAdd and SecTrustEvaluate to install them under iOS Device Profile & Settings and Trust Store, The above code executes with noErr status but it doesn't add it to Profiles & Trust on Device. How can add that certificate, Can you please guide me.

Thanks in advance
0
Systems Engineer OP
Apple
Jul ’20
Accepted Answer
For iOS, using Personal VPN (NEVPNManager), my recommendation would be to use a root certificate that is already included in the device Trust Store.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
How to install VPN root certificate in iOS Profile & Device Management and Trust Store Programmatically?
First post date Last post date
 
 
Q