31 January 2012

Install a corporate PKI Root CA on iOS

Corporations often have their own internal PKI infrastructure.  This is often used to issue SSL certificates for non production systems.  Testing these with non domain devices may result in warnings about the certificates not being from a trusted Root CA.  In my case I was testing a Citrix Xenapp deployment and the connection was rejected because of the untrusted CA

Exporting the Root CA
Since the Corporate PKI distributes the Root CA certificate via group policy the certificate is most probably on any domain joined machine.


  • Start the MMC
  • Add the Certificates Sap-In
  • Expand Trusted Root Certification Authorities
  • Select Certificates
  • Locate and select the Corporate Root CA certificate
  • Right Click - All Tasks Export
  • Accept the default
  • Save the file



Import the Root CA Certificate
This file now need to be transferred to the iOS device.
I simply mailed it to myself
Opening the file will trigger the Certificate installation process


Select install
Select Install

Select Install now

Enter your passcode (the same one you use to unlock your phone)
The certificate will be added and the cert will now be trusted

To see what other Certificates or Profiles have been installed on the device
  • Select Settings
  • General
  • Profile(s)


Testing
After the cert had been installed I retried my Citrix connection and this time it succeeded without a problem.

The original error was:
Connection Error
You have not chosen to trust "xxxxxxx", the issuer of the server's security certificate.  Error Number: 183





1 comment:

Anonymous said...

An easier way to get "trusted" device certificate on IOS devices:

http://www.globalsign.com/ios-authentication

Post a Comment