Client Certificate Error on ios Device

I am using a client side Cloudflare certificate to allow or disallow access to a self hosted application based on a Cloudflare client certificate being installed on the client device.

My access application is configured to only allow access for “valid certificate” users.

The same certificate works on my desktop browser but none of my ios devices (ipad and iphone) are unable to use the certificate citing the error “The authenticity of “Cloudflare” cannot be verified”. This error comes when installing the profile. And of course the browser cannot access the site since there is no exchange of client certificate during the handshake.

I found suggestions regarding manual trust activation for the installed certificate, however I do not see my certificate listed there in order to toggle the trust setting there. Any help would be appreciated!

I am experiencing the same issue iOS

  1. Downloaded Cloudflare_CA.crt on iOS device
  2. Accepted the certificate/profile on the device
  3. Downloaded App to the device
  4. Launched, accept terms & policies
  5. Signed into my team’s domain
  6. Installed VPN Profile
  7. Allowed Notifications
  8. Attempt to connect by toggling Connect on Cloudflare Zero Trust screen

I get one of two errors at this point

  1. Unable to connect SSL Error
    OR
  2. Toggle immediately reverts (turns off) with no error message.

Hi

The root cause of the compatibility issue with P12 files in macOS Keychain Access, particularly when those files are created using newer versions of OpenSSL, lies in the differences between the cryptographic libraries used by OpenSSL and those used by macOS (specifically, LibreSSL).

Root Cause

  • Cryptographic Differences: OpenSSL 3.x introduced changes to its default cryptographic methods, which are not fully compatible with the LibreSSL version used by macOS. The key change is in the default encryption algorithms and the way P12 files are packaged. LibreSSL, used by macOS Keychain Access, does not support some of the newer encryption algorithms or changes introduced in OpenSSL 3.x.
  • Password Handling and Encryption Algorithms: When a P12 file is created using OpenSSL 3.x, it might use encryption methods that are not recognized or supported by LibreSSL, leading to errors such as “incorrect password” during import, even though the correct password is provided.

Affected Versions

  • macOS: The issue is prominent in macOS versions that rely on LibreSSL for cryptographic functions. This includes macOS 13.x (Ventura) and potentially other versions that utilize the same cryptographic library.
  • iOS: Although the specific iOS versions are not directly cited in the sources, the underlying cryptographic issues would similarly affect iOS versions that share the same cryptographic foundation as the affected macOS versions.

Specific OpenSSL Versions

  • OpenSSL 3.x: The compatibility issues are specifically associated with P12 files created using OpenSSL 3.x due to the changes in cryptographic methods. These changes are not backward-compatible with the older methods expected by LibreSSL, leading to the issues with macOS Keychain Access.

Workaround

  • Use of -legacy Flag: To create P12 files compatible with macOS Keychain Access, it is recommended to use the -legacy flag when generating the P12 file with OpenSSL. This flag ensures that the P12 file uses older, more compatible encryption methods.

References:

If you need more detailed technical documentation or further assistance, please feel free to ask!