Some time ago I published a post that describes the new rules a certificate has to follow to be accepted by Apple’s current devices (iPhone, iPad, MacOS PCs). Besides some rules about algorithms and bit length, that are usually met by all certificate authorities, there are some requirements, you will probably not see at first view. A certificate generated later than July 1st 2019 must not be longer valid than 825 days and the certificate must contain the value “Server Authentication” (OID 22.214.171.124.126.96.36.199.1) as Extended Key Usage (EKU).
In my last post I mentioned that the IP Office certificate authority is able to create certificates that work with iPhones and other Apple devices. That was only half the truth, because only IP Office servers (Server Edition or Application Server) on at least release 188.8.131.52 create valid certificates.
Another thing is, that the way to establish a certificate authority (CA) as trustworthy on Apple devices, became less intuitive than before.
There are two main issues with the IPO CA up to 184.108.40.206.
- The default lifetime of an IPO generated certificate is 2555 days (7 years).
- The needed EKU value “ServerAuthentification” is missing.
The first one is just something you have to know, to adjust the lifetime within the certificate generation web form. Nevertheless it would be nice to see a working default value in the form.
The second one is a more special part, because the form doesn’t offer an option to set the EKU value.
You have to know that the certificate generation web form doesn’t do more than running a script with the parameters you entered. That script just collects the given values, creates a temporary OpenSSL config file and creates the certificate. And that’s where we can do some necessary adjustments.
Open /opt/Avaya/scripts/gen_certs.sh with nano:
Search for the first occurrence of ‘DEFAULT_SERVER’ by pressing Ctrl+W and entering the search string followed by Enter.
You should see the line showing that the default lifetime is calculated as seven years:
DEFAULT_SERVER_CERT_VALIDITY=$((365*7)) # 7 years
Adjust that line to have default validity of 820 days:
DEFAULT_SERVER_CERT_VALIDITY=$((820)) # 820 days
Now search for the occurrence of ‘if $EXTENDED_CSR’ with Ctrl+W. There you will see how the certificate config is created. Under the last ‘echo’ line of
echo "[ v3_req ]" >> $EXT_FILE echo "basicConstraints = $CA" >> $EXT_FILE echo "keyUsage = $KEY_USAGE" >> $EXT_FILE echo "subjectAltName = $SUBJECT_ALT_NAME" >> $EXT_FILE echo "subjectKeyIdentifier = hash" >> $EXT_FILE else
Add a new line so that it looks like this:
echo "[ v3_req ]" >> $EXT_FILE echo "basicConstraints = $CA" >> $EXT_FILE echo "keyUsage = $KEY_USAGE" >> $EXT_FILE echo "subjectAltName = $SUBJECT_ALT_NAME" >> $EXT_FILE echo "subjectKeyIdentifier = hash" >> $EXT_FILE echo "extendedKeyUsage = serverAuth,clientAuth" >> $EXT_FILE else
That’s all. Save the file with Ctrl+X followed by Y to confirm overwriting.
Now step into the settings webpage and open the certificate generation form.
You will see that the default lifetime now is 820 days.
A newly created certificate now has a valid lifetime AND the EKU is set as needed by Apple devices.
Trust root certificate with iPhone
Now that you have a valid certificates for the IP Office services, you have to ensure that it is trusted by your iPhone. That’s done by defining the issuing certificate authority as trustworthy.
Go to the certificate generation web form and find the button to download the root certificate.
You can now send the certificate to the phone and open the file. You will get an info the the certificate is loaded and that you have to check the “profile” in the settings app. As soon as you open settings, you can tap on “Profile loaded”
and you will see that the certificate is still not validated and you can tap on “Install”
When the installation is done you will see the new certificate authority as installed profile. While this was enough up to iOS 12, you now have to do another step.
Go back to “Settings” and tap on “General” and the “About”. Now swipe down to the bottom of this area where you will find “Certificate trust settings”. Here you can set the new certificate authority as trusted
Now – and not earlier – your iPhone trust the IP Office certificate authority and any valid certificates this CA creates.
Certificates are created using OpenSSL, that has the needed abilities.
A certificate is created through a human readable script that is easy to adjust.
Adjusting the script brings the ability to older IPO servers to generate the needed certificates and you will hopefully be available to connect the customer’s Apple devices to IP Office.
Please be aware that any other upgrade than up to 220.127.116.11 (or later) will potentially overwrite the adjusted script and you have to replace the script again.
If you need further help with certificates, just contact me.
If you need further help with IP Office you can contact me through my main website: https://www.fwilke.com/home
Do you want to get information about new posts? Subscribe to my Newsletter