Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 15501 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deploy https certificate to iOS

collinsandlacy
We deploy an iOS configuration file to all of our iOS devices. Included in the iOS config file are our certificates from our CA. It includes a user certificate for Exchange authentication and authentication to our wireless via RADIUS. In all offices users automatically authenticate to the wireless from their iOS device.

We have also deployed the Proxy CA certificate from the UTM as we have the https filtering set to scan and decrypt on our wireless network. The https certificate is deployed to all of our laptops and works with no issues.

However, on the iOS devices we still get the warning that the site certificate cannot be verified and with some sites the navigation just stops. Has anyone else seen this or have any ideas on deploying this to an iOS device?


This thread was automatically locked due to age.
  • 0
    Please give an example of a site where the certificate cannot be verified.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    https://www.google.com for one, but just about any site, including our own Exchange server.

    Disable scan and decrypt and all is fine. Like I  also said, works fine from the desktops, just not iOS devices. I have opened a ticket with Sophos support. They looked at the UTM and said all was correct. They are looking at it from the iOS side now. FYI, we deployed these in the past with our Cyblock proxy from Wavecrest Computing and with our SonicWalls on the iOS devices with no issues. I did not do anything different with the deployment when we switched over to Sophos UTMs.
  • 0
    It is working from my iPhone.  What happens when you install the CA from the User Portal open in Safari?
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I have not tried that. No offense but I really do not want to as we use another product for our user portal and the mobile config files reside there. They have our entire organization configuration in that file and it takes merely seconds to have our iOS devices configured that way by the user. Now I could try it for testing to see is something is causing this issue.
  • 0
    Thanks for the tip. OK, I am getting somewhere. The user portal did work. So I went back and tried with the iPhone configuration file, but thought I would try something different. When you download the cert from the UTM (NOT from the user portal), it downloads the private key. Thinking about this for moment, I re-deployed the Sophos cert, but without the private key. There should be on the UTM and only one device needs that. That worked.

    New problem, my Exchange authentication broke. We only allow active sync via certificate authentication. Looks as if I need to track that down now.
  • 0
    I suspected the proxy trying to handle the certificate for Exchange rather than the regular Exchange cert. I kind of confirmed this when I went off of the wireless and Exchange worked. I exempted the servers in the Skip transparent mode destination list and now all works as expected. In my testing at first I thought I had found that the desktops need to be deployed with the private key and the iOS devices do not. That did not make sense and is not the case, the cert can be deployed to the desktops as well without the key and all is well. iOS devices definitely do not like the private key.
  • 0

    I have the exact same issue as collinsandlacy did a few years ago.  I have been using UTM for years, but I never bothered with HTTPS scanning until I got married and had a teenager move into the house.  Now we need to ensure that things aren't being done that shouldn't be done.

     

    With that said, I have enabled Decrypt and Scan, and I have imported the Web Filtering CA into my iPhone.  Everything says that it installed properly, but I still cannot get to any modern search engine from my phone... https://www.google.com, https://www.bing.com, https://www.duckduckgo.com, etc., etc.

     

    Any help with with HTTPS scanning and iOS would be GREATLY appreciated.

     

    I am running UTM 9.51 and iOS 11.4.

     

    Thank you!

  • +1 in reply to sargehendricks

    Maybe my answer comes too late, but anyway.

    It is NOT enough to import the certificate. After installing which is a simple click on the User Portal, import, confirm, etc ... you have to go to Settings -> General -> Information -> SCROLL TO THE BOTTOM ... last command should be “Configurations Certificate Trust” ... go in there and ENABLE it.

    This did the trick for me.

    Regards,

  • 0 in reply to mircevski

    Hi mircevski

    No, not at all too late; really rather astonishingly fortuitous timing, in fact! :-)

    I did not need that additional step with my iPhone 4, but I have recently procured an iPhone 6 (£99 and it has a nice new screen) so I'm now on a current iOS version. Of course, one of the first things that I did was to add my dodgy CA, but I didn't even bother to then actually test it - I just assumed that it would be working - and then whilst doing my daily forum browse, I spotted your above tip. Anyhow, I just tried the iPhone browser and sure enough, it was not actually working, so I've performed the above additional step and all is now well. Thank you very much for posting that and as I say, it was mighty fine timing, too!

    Kind regards,
    Briain

  • 0 in reply to Briain

    Hi,

    Always glad to help, since I had a hard time myself when implementing this.

    Cheers,

Unfiltered HTML