EAP-TLS w/ Certificate on iPhone

Home Page Forums Network Management ZeroShell EAP-TLS w/ Certificate on iPhone

This topic contains 4 replies, has 0 voices, and was last updated by  ptaylor 9 years, 12 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #41130

    ptaylor
    Member

    Hi – Been a long time!

    I recently got a new iPhone and have been trying to get it working with my WPA Enterprise wireless setup, backed by Zeroshell. I can get it to work properly just by entering a username and password, but I’d rather use certificates, if at all possible. You can’t configure it this way via the phone, but Apple provides a utility just for such purposes.

    Using the iPhone Configuration Utility, I can create a profile. In this profile, I can add in a CA certificate and a user certificate. I exported both from ZeroShell and added them to the profile along with the SSID of my network and set the profile to use EAP-TLS. My problem is that when I attempt to load the profile on the iPhone, it prompts me for a password for the user certificate. Thinking that perhaps this is the password for the user associated with the certificate, I tried that password, but it failed. Another post here on the forum seemed to indicate that user certificates in ZeroShell were exported with no password. The iPhone won’t let me continue without a password, so I’m stuck.

    Is there any way to export a user certificate with a password? Or has someone else already ran into this and fixed it?

    Thanks,
    Paul

    #46749

    imported_fulvio
    Participant

    The current release does not allow to specify a passphrase to protect the private key related to the personal certificate. I will try to solve this problem in the next release.
    At the moment you can just use openssl suite commands to encrypt the private key associated to a X.509 certificate.
    Let me know if iPhone uses base64 (.pem) or pkcs12 certificate format and so I will post the command to do it.

    Regards
    Fulvio

    #46750

    ptaylor
    Member

    Sounds good – It uses pkcs12 (though I think it may also be able to use .pem).

    For a long term fix, it would be nice to have the user’s password be the passphrase that the cert is protected with by default (selectable via a checkbox). I don’t know if the passwords are stored in such a way that you can get them back, though, so that may not be possible (if you are keeping PWs in a one-way hashed form).

    I had never thought about it until now, but from a security standpoint, having certs exported with passphrases makes sense. That way if they are distributed insecurely (like via email) and fall into the wrong hands, they aren’t compromised. Of course, if the sender also includes the passphrase in the email, it wouldn’t matter. 🙂 Unfortunately, I’ve seen things like that happen in my work environment.

    #46751

    imported_fulvio
    Participant

    Ok, you are right. I will use the user password as passphrase. Thanks for the suggest.

    Now, to import the certificate in your iPhone, you could:

    – export the certificate in .pem format (ex. fulvio.pem)
    – by using openssl convert it in pkcs12 with passphrase:

    openssl pkcs12 -export -in fulvio.pem -out fulvio.pfx

    Of course you will be asked for the passphrase.

    Regards
    Fulvio

    #46752

    ptaylor
    Member

    That worked perfectly. My iPhone is now connected to my local WiFi network with EAP-TLS.

    Thanks!

    #46753

    dan
    Member

    Hi all,

    Just want to ask, when you’ve finished installing your certificate in IPhone, is the Iphone recognized the certificate as unsigned or signed certificate?

    Because in mine, it shows Unsigned certificate, eventhough I’ve installed it properly. Anyone knows how to make it as signed certificate?

    Any info would help

    Thanks

    Dan

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.