Mutual authentication between my iPhone and webserver

Solution 1:

Apple Requirements

Apple enforce additional requirements on trusted certificates. Ensure your private Certificate Authority (CA) meets these requirements.

openssl s_server

You can confirm, and debug, the iPhone's browsers are providing a certificate with openssl s_server.

s_server can be used to run a debugging SSL/TLS server which lets you examine the negotiation between the server and client:

  • Verify Incoming SSL Using OpenSSL S_Server
  • Using openssl s_server and openssl s_client to test client certificates

Apache httpd

For configuring Apache httpd, see Client side certificate authentication as the author encountered the same problem:

Although the allowed CA was properly set I got this error message

SSL Library Error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate -- No CAs known to server for verification?

In order to solve the problem, I had to merge the certificate CA file and the certificate chain file into one file. For using client certificates with www.digicert.com this meant

cat TrustedRoot.crt >> MergedCA.crt
cat DigiCertCA.crt >> MergedCA.crt

and pointing SSLCACertificateFile to MergedCA.crt