Technology Blog

Apple iDevice EAP “Certificate Validation” Challenges

by ‎04-12-2013 10:13 AM

You fire up your iPad and connect to your EAP secured wireless network and you are presented with the screen “Validate Certificate” ! 

 

My radius certificate is signed by a reputable CA. Why am I getting this popup ?

 

CEOs, managers and users are getting presented with the popup and questioning IT and asking WHY. I did some investigation. I needed to confirm the certificate store on the device. Apple published this information in the below link. It is a rather extensive CA list. 

 

http://support.apple.com/kb/ht5012

 

Brief Caption:

 

iOS 5 and iOS 6: List of available trusted root certificates

 

Summary

These trusted root certificates are preinstalled with iOS 5 and iOS 6. When IT administrators create Configuration Profiles for iPhone, iPad,  or iPod touch using the iPhone Configuration Utility, these certificates do not need to be included.

Products Affected

iPad, iPhone, iPod touch

 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1 (0x1)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=JP, O=JPKI, OU=Prefectural Association For JPKI, OU=BridgeCA

        Validity

            Not Before: Dec 27 05:08:15 2003 GMT

            Not After : Dec 26 14:59:59 2013 GMT

        Subject: C=JP, O=JPKI, OU=Prefectural Association For JPKI, OU=BridgeCA

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 946059622 (0x3863b966)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)

        Validity

            Not Before: Dec 24 17:50:51 1999 GMT

            Not After : Dec 24 18:20:51 2019 GMT

        Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 57923 (0xe243)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=AT, O=\x00A\x00-\x00T\x00r\x00u\x00s\x00t\x00 \x00G\x00e\x00s\x00.\x00 \x00f\x00\xFC\x00r\x00

        \x00S\x00i\x00c\x00h\x00e\x00r\x00h\x00e\x00i\x00t\x00s\x00s\x00y\x00s\x00t\x00e\x00m\x00e\x00 

        \x00i\x00m\x00 \x00e\x00l\x00e\x00k\x00t\x00r\x00.\x00 \x00D\x00a\x00t\x00e\x00n\x00v\x00e\x00r\x00k\x00e

        \x00h\x00r\x00 \x00G\x00m\x00b\x00H, OU=A-Trust-Qual-01, CN=A-Trust-Qual-01

        Validity

            Not Before: Nov 30 23:00:00 2004 GMT

            Not After : Nov 30 23:00:00 2014 GMT

        Subject: C=AT, O=\x00A\x00-\x00T\x00r\x00u\x00s\x00t\x00 \x00G\x00e\x00s\x00.\x00 \x00f\x00\xFC\x00r\x00

        \x00S\x00i\x00c\x00h\x00e\x00r\x00h\x00e\x00i\x00t\x00s\x00s\x00y\x00s\x00t\x00e\x00m\x00e\x00 

        \x00i\x00m\x00 \x00e\x00l\x00e\x00k\x00t\x00r\x00.\x00 \x00D\x00a\x00t\x00e\x00n\x00v\x00e\x00r\x00k\x00e

        \x00h\x00r\x00 \x00G\x00m\x00b\x00H, OU=A-Trust-Qual-01, CN=A-Trust-Qual-01

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 57928 (0xe248)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU=A-Trust-Qual-02, CN=A-Trust-Qual-02

        Validity

            Not Before: Dec  2 23:00:00 2004 GMT

            Not After : Dec  2 23:00:00 2014 GMT

        Subject: C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU=A-Trust-Qual-02, CN=A-Trust-Qual-02

Certificate:

 

 

 

 

I reached out to a number of colleagues in the industry and all reported the same issue. One colleague in particular, Cesar directed me to another Apple link that clarified my understanding of the issue. 

 

http://support.apple.com/kb/HT1978 

 

Brief Caption:

 

iOS: Install profiles with CA Certificates to simplify enterprise Wi-Fi connection process

 

Summary

For a number of enterprise Wi-Fi connection types, IT administrators will deploy profiles they create with iPhone Configuration Utility to automate and/or restrict user Wi-Fi connections. Including the CA Certificate for these connections will remove the users' need to verify that they trust the Certificate(s) provided each time they reconnect to Wi-Fi. CA Certificates and Trust settings can be provided within configuration profiles.

 

 

Clearly an Apple issue. It would appear Apple requires you to validate each EAP certificate. For example, if you have 5 radius servers in your enterprise. You will be asked to validate all 5 certificates at some point as your client roams the enterprise. 

 

There is a work around to this issue. As mentioned in the Apple release. You can configure wireless profiles and include the EAP certificate in the profile. By doing so the user will not be presented with the certificate popup when connecting. 

 

Note: My MAC behaves the same way as well 

 

 

What has been your experience ? Your feedback is appreciated !

Comments
Guru Elite Guru Elite

Thanks for the article, Gstefanik!

 

My experience is that it always asks, regardless... which almost nullifies the reason why you would get a publicly signed CA certificate... (my opinion).  Alot of people chase this and it drives them crazy.  Thanks for the post!

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Announcements
Read all about it! If it’s happening now, it’s in the community.

Check out the latest blogs from your community team, the community experts and other industry sources.
Labels