Certificate installation for iPhone and iPod Touch

Installation of certificates as described below has been possible since iPhone OS 2.0.

Step 1: Install authority certificate

Tap CSAIL's authority certificate. Because you're accessing a bare certificate over the web, you should expect a warnings like "authenticity cannot be verified." It'll also ask for your passcode, if set. You're done when you see "Profile Installed."

Step 2: Install personal certificate

The iPhone cannot generate its own personal certificates, so the standard process (second link on CertificatesIntro) will not work. Instead, you need to transfer valid certificates from elsewhere. We recommend Firefox.

1. First, set up your CSAIL email account on the iPhone. (GenericMailConfigurationInfo should help; note that the iPhone already defaults to using SSL.)
2. Second, create an iPhone passcode: Tap Settings -> General -> Passcode Lock. If you don't do this, someone who ends up with your lost or stolen iPhone can impersonate you with your certificate.
3. In Firefox, go to Tools/Options (Firefox/Preferences on a Mac), then Advanced
4. Click Encryption, then View Certificates
5. Select your CSAIL certificate. Verify that it's within "MIT Computer Science and Artificial Intelligence Lab", and that it has not yet expired.
6. Click Backup and save your certificate in the default format (PKCS #12, .p12), providing passwords as necessary.
7. Email the resulting .p12 file to yourself @csail.mit.edu
8. Using the iPhone, open the email and click the .p12 attachment. Tap Install and enter the "certificate password" you just set.

Limitations

• The iPhone's Safari does not appear to handle a certain subtype of certificate authentication (Options SSLVerifyClient Optional), and thus you may not be able to access some certificate-protected pages, including event advertisements on www.csail.mit.edu.
• While the iPhone allows you to install more than one client certificate, installing MIT client certs alongside CSAIL client certs is not recommended. If you really think you need this, please consider:
  • For every https:// site that you visit, Safari will ask you which certificate to use -- but the two choices listed will be indistinguishable (each will just list your name)
  • Most major MIT sites are currently inaccessible to the iPhone due to its incompatibility with SSLVerifyClient Optional problem (including SAPweb, certain Library sites, and Stellar). No known workaround as of 14 Jul 2008.
  • Occasional users may find it useful to install MIT certificates on-the-fly to access a particular site and uninstall them when done accessing that site. MIT client certificates can be installed directly from iphone.mit.edu (instead of using the .p12 import sequence described above). (This process involves generating a private key for you on the iphone.mit.edu server, so those who are extremely security-conscious may not want to do this.)

Additional notes

To verify or remove certificates, navigate to Settings/General/Profiles (second-to-last item).

Topic IPhoneCertsInstall . { Edit Attach Backlinks: Web All webs Printable History: r8 < r7 < r6 < r5 < r4 More }