• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: How to register a client cert for use with a specific SSL server?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to register a client cert for use with a specific SSL server?

  • Subject: Re: How to register a client cert for use with a specific SSL server?
  • From: Ken McLeod <email@hidden>
  • Date: Thu, 26 Jul 2012 18:35:00 -0700
The mechanism for this is called an "identity preference". It's stored as a keychain item, and is basically a mapping from a name to a preferred identity (the client certificate you want to use.)

#include <Security/SecIdentity.h>
CFStringRef name = CFSTR("https://url.for.some.domain/that.needs.clientauth/";);
OSStatus status = SecIdentitySetPreferred(identity, name, NULL);

You can also use the 'security set-identity-preference' command. In Terminal, 'man security' and search for that command to see the rules for how the name is matched; partial-path matches and wildcards can be used.

-ken

On Jul 26 2012 03:02 PM, Jens Alfke wrote:
> When making an NSURLConnection to a server that requires an SSL client cert, is there any way to configure the NSURLCredentialStore or the Keychain so that CFNetwork can figure out which identity to use on its own, without having to ask the delegate?
>
> It seems like this should be possible, since NSURLCredentialStore can be use to register a traditional username/password credential for a particular server, such that the delegate doesn't have to look it up. But this doesn't seem to work if you try to register a client-cert credential instead — the delegate gets called anyway.
>
> I ask because I'm writing a library (TouchDB) that makes HTTP connections and needs to work with all types of auth. Its API doesn't allow for callbacks to client code, though, which makes auth kind of tricky. The programming model is that it expects the developer to have used NSURLCredentialStore to register credentials beforehand, so that CFNetwork can use them without having to ask TouchDB itself. But while this works fine for HTTP auth, it doesn't for client-side SSL certs.
>
> (Disclaimer: I am told by developers that client cert registration with the credential store doesn't work. I have not reproduced this myself, because I don't currently have access to a server that's configured for client auth.)
>
> —Jens
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Prev by Date: Re: Explain NSURLAuthenticationMethodServerTrust to me?
  • Next by Date: Re: How to register a client cert for use with a specific SSL server?
  • Previous by thread: Re: Explain NSURLAuthenticationMethodServerTrust to me?
  • Next by thread: Re: How to register a client cert for use with a specific SSL server?
  • Index(es):
    • Date
    • Thread