Close

Apple iDevice EAP “Certificate Validation” Challenges

By George Stafanick, Blog Contributor
Share Post

You fire up your iPad and connect to your EAP secured wireless network and you are presented with the screen "Validate Certificate" ! 

My radius certificate is signed by a reputable CA. Why am I getting this popup ?

CEOs, managers and users are getting presented with the popup and questioning IT and asking WHY. I did some investigation. I needed to confirm the certificate store on the device. Apple published this information in the below link. It is a rather extensive CA list. 

http://support.apple.com/kb/ht5012

Brief Caption:

iOS 5 and iOS 6: List of available trusted root certificates

 

Summary

These trusted root certificates are preinstalled with iOS 5 and iOS 6. When IT administrators create Configuration Profiles for iPhone, iPad,  or iPod touch using the iPhone Configuration Utility, these certificates do not need to be included.

Products Affected

iPad, iPhone, iPod touch

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1 (0x1)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=JP, O=JPKI, OU=Prefectural Association For JPKI, OU=BridgeCA

        Validity

            Not Before: Dec 27 05:08:15 2003 GMT

            Not After : Dec 26 14:59:59 2013 GMT

        Subject: C=JP, O=JPKI, OU=Prefectural Association For JPKI, OU=BridgeCA

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 946059622 (0x3863b966)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)

        Validity

            Not Before: Dec 24 17:50:51 1999 GMT

            Not After : Dec 24 18:20:51 2019 GMT

        Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 57923 (0xe243)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=AT, O=x00Ax00-x00Tx00rx00ux00sx00tx00 x00Gx00ex00sx00.x00 x00fx00xFCx00rx00

        x00Sx00ix00cx00hx00ex00rx00hx00ex00ix00tx00sx00sx00yx00sx00tx00ex00mx00ex00 

        x00ix00mx00 x00ex00lx00ex00kx00tx00rx00.x00 x00Dx00ax00tx00ex00nx00vx00ex00rx00kx00e

        x00hx00rx00 x00Gx00mx00bx00H, OU=A-Trust-Qual-01, CN=A-Trust-Qual-01

        Validity

            Not Before: Nov 30 23:00:00 2004 GMT

            Not After : Nov 30 23:00:00 2014 GMT

        Subject: C=AT, O=x00Ax00-x00Tx00rx00ux00sx00tx00 x00Gx00ex00sx00.x00 x00fx00xFCx00rx00

        x00Sx00ix00cx00hx00ex00rx00hx00ex00ix00tx00sx00sx00yx00sx00tx00ex00mx00ex00 

        x00ix00mx00 x00ex00lx00ex00kx00tx00rx00.x00 x00Dx00ax00tx00ex00nx00vx00ex00rx00kx00e

        x00hx00rx00 x00Gx00mx00bx00H, OU=A-Trust-Qual-01, CN=A-Trust-Qual-01

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 57928 (0xe248)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU=A-Trust-Qual-02, CN=A-Trust-Qual-02

        Validity

            Not Before: Dec  2 23:00:00 2004 GMT

            Not After : Dec  2 23:00:00 2014 GMT

        Subject: C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU=A-Trust-Qual-02, CN=A-Trust-Qual-02

Certificate:

I reached out to a number of colleagues in the industry and all reported the same issue. One colleague in particular, Cesar directed me to another Apple link that clarified my understanding of the issue. 

http://support.apple.com/kb/HT1978 

Brief Caption:

iOS: Install profiles with CA Certificates to simplify enterprise Wi-Fi connection process

 

Summary

For a number of enterprise Wi-Fi connection types, IT administrators will deploy profiles they create with iPhone Configuration Utility to automate and/or restrict user Wi-Fi connections. Including the CA Certificate for these connections will remove the users' need to verify that they trust the Certificate(s) provided each time they reconnect to Wi-Fi. CA Certificates and Trust settings can be provided within configuration profiles.

 

Clearly an Apple issue. It would appear Apple requires you to validate each EAP certificate. For example, if you have 5 radius servers in your enterprise. You will be asked to validate all 5 certificates at some point as your client roams the enterprise. 

There is a work around to this issue. As mentioned in the Apple release. You can configure wireless profiles and include the EAP certificate in the profile. By doing so the user will not be presented with the certificate popup when connecting. 

Note: My MAC behaves the same way as well 

What has been your experience ? Your feedback is appreciated !