August 8, 2008 at 11:25 pm #41130
Hi – Been a long time!
I recently got a new iPhone and have been trying to get it working with my WPA Enterprise wireless setup, backed by Zeroshell. I can get it to work properly just by entering a username and password, but I’d rather use certificates, if at all possible. You can’t configure it this way via the phone, but Apple provides a utility just for such purposes.
Using the iPhone Configuration Utility, I can create a profile. In this profile, I can add in a CA certificate and a user certificate. I exported both from ZeroShell and added them to the profile along with the SSID of my network and set the profile to use EAP-TLS. My problem is that when I attempt to load the profile on the iPhone, it prompts me for a password for the user certificate. Thinking that perhaps this is the password for the user associated with the certificate, I tried that password, but it failed. Another post here on the forum seemed to indicate that user certificates in ZeroShell were exported with no password. The iPhone won’t let me continue without a password, so I’m stuck.
Is there any way to export a user certificate with a password? Or has someone else already ran into this and fixed it?
PaulAugust 9, 2008 at 8:47 am #46749
The current release does not allow to specify a passphrase to protect the private key related to the personal certificate. I will try to solve this problem in the next release.
At the moment you can just use openssl suite commands to encrypt the private key associated to a X.509 certificate.
Let me know if iPhone uses base64 (.pem) or pkcs12 certificate format and so I will post the command to do it.
FulvioAugust 9, 2008 at 1:29 pm #46750
Sounds good – It uses pkcs12 (though I think it may also be able to use .pem).
For a long term fix, it would be nice to have the user’s password be the passphrase that the cert is protected with by default (selectable via a checkbox). I don’t know if the passwords are stored in such a way that you can get them back, though, so that may not be possible (if you are keeping PWs in a one-way hashed form).
I had never thought about it until now, but from a security standpoint, having certs exported with passphrases makes sense. That way if they are distributed insecurely (like via email) and fall into the wrong hands, they aren’t compromised. Of course, if the sender also includes the passphrase in the email, it wouldn’t matter. 🙂 Unfortunately, I’ve seen things like that happen in my work environment.August 9, 2008 at 7:05 pm #46751
Ok, you are right. I will use the user password as passphrase. Thanks for the suggest.
Now, to import the certificate in your iPhone, you could:
– export the certificate in .pem format (ex. fulvio.pem)
– by using openssl convert it in pkcs12 with passphrase:
openssl pkcs12 -export -in fulvio.pem -out fulvio.pfx
Of course you will be asked for the passphrase.
FulvioAugust 9, 2008 at 10:10 pm #46752
That worked perfectly. My iPhone is now connected to my local WiFi network with EAP-TLS.
Thanks!March 25, 2009 at 4:35 am #46753
Just want to ask, when you’ve finished installing your certificate in IPhone, is the Iphone recognized the certificate as unsigned or signed certificate?
Because in mine, it shows Unsigned certificate, eventhough I’ve installed it properly. Anyone knows how to make it as signed certificate?
Any info would help
You must be logged in to reply to this topic.