I've implemented a VPN app (with packet tunnel provider) for iOS and MacOS.
When the users connect to my VPN, and browsing the web, a lot of sites would contain my company's private certifiacte.
I want this certificate to be trusted by anyone who uses my app, for any application he uses (Safari/Chrome) as long as he is connected to my VPN .
Is it possible? and how can I do it?
On iOS there’s no API to add trusted root certificate.
On macOS you can can do that but that requires privilege escalation, which isn’t appropriate for a Mac App Store app.
If you’re building an enterprise system you should have your colleagues push the trusted root certificate to the client via MDM.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"So this is way I didn't find anything on that 🙂
Thanks eskimo!
Back to this subject again -
Is it possible to *ask* the user to install my cartificate? and only if the user agree, the app would install the certificate?
(And if it's possible, since this is a VPN app, I need that also other applications such as Safari would use this certificate)
Reply
This helped me
0
Is it possible to *ask* the user to install my cartificate?
Again, this breaks down by platform:
On iOS there’s no direct way to add a trusted root certificate. The best you can do is put the certificate into a configuration profile, put that configuration profile on a server somewhere, and open its URL. That will bounce to Safari, which will bounce to the profile ingestion subsystem, which will ask the user whether they want to install the profile.
One drawback with this approach is that the profile ingestion subsystem won’t bounce back to your app when it’s done.
On macOS you can add the certificate to the keychain via standard keychain APIs and then change its trust settings via the trust settings API,
<Security/SecTrustSettings.h>(And if it's possible, since this is a VPN app, I need that also other applications such as Safari would use this certificate)
Once a certificate is installed as a trusted root it will be consulted by all trust evaluations (on macOS this is scoped to the current user unless you configure it globally, which IIRC requires actual privilege escalation).
Whether this stuff is allowed by App Review is a different question. And if App Review isn’t a concern for you (because you’re deploying via enterprise deployment) then you really are barking up the wrong tree here. In an enterprise environment your trusted root certificate should be installed via MDM.
Which brings me back to my original point:
If you’re deploying to normal users via the App Store, you should change your infrastructure to use certificates issued by a CA that’s trusted by default.
If you’re deploying to enterprise users, you should deploy your enterprise’s trusted root via MDM.
Thus, my general recommendation is that you avoid going down this path entirely.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"Got all the info I needed, thanks again!