Reputation: 421
Distributing certificate and private key to iOS devices
I have an iOS application that uses certificates for messaging-signing following the Digital Signature Algorithm (DSA). In order to perform this signing, the app needs the certificate as well as the private key associated with the certificate. And, I cannot embed the certificate in the app as my customers need to be able to generate and distribute their own certificates to be used by the app whenever they need. (And, embedding a certificate would constitute a security risk anyway.)
Does anyone have any thoughts on how I might go about distributing the certificates and private keys?
PS. We do the same thing on BlackBerry and, there, we use BlackBerry Enterprise Server and APIs on the BlackBerry device to push certificates to the devices in the organization. I'm hoping there's a MDM solution to this for iOS but haven't been able to find anything yet.
Thanks much
Upvotes: 1
Views: 696
Answers (2)
Reputation: 495
On iOS, there is no straight forward way to distribute a certificate and it's private key to an app. Apple suggests using PKCS12 and provides some guidance in this document: Technical Q&A QA1745: Making Certificates and Keys Available To Your App.
Upvotes: 2
Reputation: 5046
You ask:
Does anyone have any thoughts on how I might go about distributing the certificates and private keys?
I'm sorry I don't know enough about your specific situation to tell you exactly how to meet your requirement, but I can tell that's not how it's usually done. Instead the public/private key pair is normally generated on the device, then the public key (only) is submitted with additional data (in a Certificate Signing Request, CSR, for example), to a server (Certification Authority, CA), which generates the certificate and returns it to the requester (and possibly publishes it in a directory).
An important security benefit to this approach is no third party has access to the private key (the CA needs the public key and doesn't need the private key). This is required for non-repudiation (so the device owner can't claim someone got his private key from the central server).
Upvotes: 2
Related Questions
- Generating MDM certificate
- How to create a private key for iPhone Distribution Certificate?
- iPhone distribution certificate no private key
- MDM Server certificate to be used for SSL handshake with iPhone device
- Distribution certificates for iPhone
- iOS MDM Server SSL Certificate not trusted by device
- ios developer certificate private key
- iOS in-house application - distribution of SSL certificates
- Distribution certificates and private keys
- Creating an ios distribution certificate