Certificate installation for iPhone, iPad, and iPod Touch

Installation of certificates as described below has been possible since iPhone OS 2.0, and apply current iOS versions as of 7/1/2012.

Step 1: Install authority certificate

Tap CSAIL's current authority certificate. Because you're accessing a bare certificate over the web, you should expect a warnings like "authenticity cannot be verified." It'll also ask for your passcode, if set. You're done when you see "Profile Installed." You will also need the Client CA certificate as well, following the same procedure.

Step 1.5: Create an iPhone passcode

If you don't do this, someone who ends up with your lost or stolen iPhone can impersonate you with your certificate.
  • For passable security (4 digit code): tap Settings -> General -> Passcode Lock.
  • For better security (5+ digits): tap longerpasscode.mobileconfig. This configuration profile unlocks the iPhone's ability to use variable-length numeric passcodes, and will immediately prompt you for a new passcode. It may also lock down settings for "Auto-Lock" and "Passcode timeout".
  • (Alternatively, you can choose alphanumeric passwords, but we've found them prohibitively difficult to enter in everyday use.)

Step 1.75: Encrypt your iPhone backups

If you don't do this, your certificate will be stored in plaintext on your hard disk and backups including Time Machine. Directions are at http://support.apple.com/kb/ht1766 -> About syncing and backups -> Encrypted backups.

Step 2: Install personal certificate

The iPhone cannot generate its own personal certificates, so the standard process (second link on CertificatesIntro) will not work. Instead, you need to transfer valid certificates from elsewhere. We recommend Firefox.
  1. Confirm that you can access CSAIL email on the iPhone. Apple iOS Mail should help, or as a one-off you can use http://webmail.csail.mit.edu
  2. In Firefox, go to Preferences (Tools/Options on Windows), then Advanced
  3. Click Encryption, then View Certificates
  4. Select your CSAIL certificate. Verify that it's within "MIT Computer Science and Artificial Intelligence Lab", and that it has not yet expired.
  5. Click Backup and save your certificate in the default format (PKCS #12, .p12), providing passwords as necessary.
  6. Email the resulting .p12 file to yourself @csail.mit.edu
  7. On the iPhone, open the email and click the .p12 attachment. Tap Install and enter the "certificate password" you just set. The certificate will function correctly even if the confirmation screen shows "not trusted".

Limitations

  • The iPhone's Safari does not appear to handle a certain subtype of certificate authentication (renegotiation), and thus some certificate-protected pages will be inaccessible to you, including event advertisements on www.csail.mit.edu.
  • While the iPhone allows you to install more than one client certificate, installing MIT client certs alongside CSAIL client certs is not recommended. If you really think you need this, please consider:
    • For every https:// site that you visit, Safari will ask you which certificate to use -- but the two choices listed may be indistinguishable (each will just list your name)
    • Most major MIT sites are currently inaccessible to the iPhone due to its incompatibility with renegotiation (including SAPweb, certain Library sites, and Stellar). No known workaround as of 14 Jul 2008.
    • Occasional users may find it useful to install MIT certificates on-the-fly to access a particular site and uninstall them when done accessing that site. MIT client certificates can be installed directly from iphone.mit.edu (instead of using the .p12 import sequence described above). (This process involves generating a private key for you on the iphone.mit.edu server, so those who are extremely security-conscious may not want to do this.)
  • Be careful not to connect your phone to a desktop/laptop running the iPhone Configuration Utility. Its automatically-installed "iPCU Certificate" will confuse Safari in similar ways to the CSAIL/Athena confusion described above -- except that there's no way to delete it short of wiping all settings and data.

Additional notes

To verify or remove certificates and passcode configurations, navigate to Settings -> General -> Profiles (second-to-last item).
Topic revision: 30 Oct 2012, GarrettWollman
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology