How to install VPN root certificate in iOS Profile & Device Management and Trust Store Programmatically

0
votes

I am using NEVPNManager & IKEV2 certificate as my authentication method for connecting to the VPN. I am able to connect to the VPN. Below mentioned is my sample block of code.

 guard let path = Bundle.main.path(forResource: VPNConstants.certificateName, ofType: ".p12")  else {
        fatalError("Unable to find Certificate")
    }
    do {
        let data = try Data(contentsOf: URL(fileURLWithPath: path), options: .mappedIfSafe)
        ikev2.identityData = data
    }
    catch {
        fatalError("Unable to find Certificate")
    }
    ikev2.identityDataPassword = VPNConstants.password

I tried to install the root certificate using SecCertificateCreateWithData and SecItemAdd methods part of the Security framework, I don't get any errors installing the certificate, but it doesn't appear in my iOS Profile & Device Management and TrustStore. Below is the block of code I am using for the same.

fileprivate func installCertificate() {
        guard let path = Bundle.main.path(forResource: "rootcertificate", ofType: "der") else {
            return
        }
    
        do {
            let data = try Data(contentsOf: URL(fileURLWithPath: path), options: .mappedIfSafe)
            var status: OSStatus = noErr
            guard let rootCert = SecCertificateCreateWithData(nil, data as CFData) else {
                return
            }
            
            let addquery: [String: Any] = [kSecClass as String: kSecClassCertificate,
                                           kSecValueRef as String: rootCert,
                                           kSecAttrLabel as String: "My Certificate"]
            status = SecItemAdd(addquery as CFDictionary, nil)
            if status == noErr {
                print("Install root certificate success")
            }
            else if  status == errSecDuplicateItem {
                print("duplicate root certificate entry")
            }
            else {
                print("install root certificate failure")
            }
    
            let policy = SecPolicyCreateBasicX509()
            var optionalTrust: SecTrust?
            let certArray = [rootCert]
            status = SecTrustCreateWithCertificates(certArray as AnyObject,
                                                    policy,
                                                    &optionalTrust)
            guard status == errSecSuccess else {
                return
            }
            let trust = optionalTrust!
            var trustResult = SecTrustResultType.invalid
            status = SecTrustEvaluate(trust, &trustResult)
            print(trust)
            if status == noErr {
                print("Trust root certificate success")
            }
            else if  status == errSecDuplicateItem {
                print("Trust Fail")
            }
            else {
                print("Trust Fail")
            }
        }
    
        catch {
            print("Trust root certificate failure")
        }
    
    }

Currently, I am installing the root certificate via Safari or Mail. Also, my root certificate is self-signed. I am aware that Certificate trust will be enabled only if signed by a Trusted CA, but how can I add it to iOS Profile & Device Management at least.

Any help is appreciated, Thanks in advance!!!

1
iosswiftvpnnevpnmanager

1 Answers

0
votes

After a lot of research and surfing, I came to the conclusion that Apple doesn’t allow you to install root certificates programmatically. For iOS, using Personal VPN (NEVPNManager), we should use a root certificate that is already included in the device Trust Store.