Keychain Issues - Adding self signed root cert

Discussion in 'Mac Programming' started by Cromulent, Jan 10, 2010.

  1. Cromulent macrumors 603

    Cromulent

    Joined:
    Oct 2, 2006
    Location:
    The Land of Hope and Glory
    #1
    I'm trying to find a way to add a self signed root certificate to the Keychain on both a Mac and an iPhone. From reading the docs it seems pretty much exactly the same process for each so this question is as relevant here as the iPhone forum.

    Anyway here is the situation:

    A Java web service running inside the Glassfish 3 application server communicating with Mac OS X clients and iPhone clients over an SSL secured connection using a self signed certificate generated from a self signed root certificate. Obviously because the root certificate is unknown the connection brings up the that the certificate can not be validated.

    I need to automatically add the password protected p12 root certificate stored in the application bundle into the keychain automatically so that it can validate the SSL certificate that the server uses to encrypt communication between itself and the clients.

    Obviously by using the application the user has given implicit trust to the connection (it is obviously an internet based app) and also because the whole system is closed (as in run by myself) as long as both ends validate against the same self signed root certificate I can be sure that no tampering is going on.

    What is the best way to get the root certificate and thus automatic trust of my own self signed certificates into Keychain without a load of security prompts? I've looked through the Apple documentation extensively and have started to implement various ways of doing this including SecAddItem(), SecPKCS12Import() and another way which I forget now. But neither ended up with a solution I could make work.

    Can anyone point me in the right direction at all please with this?

    Thanks.
     
  2. Cromulent thread starter macrumors 603

    Cromulent

    Joined:
    Oct 2, 2006
    Location:
    The Land of Hope and Glory
    #2
    I'm still finding this somewhat baffling. The terminology used in this area is a little odd to say the least.

    For instance when it is talking about identities does it mean a personally generated certificate for the current user of the application or does it mean a general certificate that is included with the application.

    Any suggestions?
     

Share This Page