I am using a client side Cloudflare certificate to allow or disallow access to a self hosted application based on a Cloudflare client certificate being installed on the client device.
My access application is configured to only allow access for “valid certificate” users.
The same certificate works on my desktop browser but none of my ios devices (ipad and iphone) are unable to use the certificate citing the error “The authenticity of “Cloudflare” cannot be verified”. This error comes when installing the profile. And of course the browser cannot access the site since there is no exchange of client certificate during the handshake.
I found suggestions regarding manual trust activation for the installed certificate, however I do not see my certificate listed there in order to toggle the trust setting there. Any help would be appreciated!
The root cause of the compatibility issue with P12 files in macOS Keychain Access, particularly when those files are created using newer versions of OpenSSL, lies in the differences between the cryptographic libraries used by OpenSSL and those used by macOS (specifically, LibreSSL).
Root Cause
Cryptographic Differences: OpenSSL 3.x introduced changes to its default cryptographic methods, which are not fully compatible with the LibreSSL version used by macOS. The key change is in the default encryption algorithms and the way P12 files are packaged. LibreSSL, used by macOS Keychain Access, does not support some of the newer encryption algorithms or changes introduced in OpenSSL 3.x.
Password Handling and Encryption Algorithms: When a P12 file is created using OpenSSL 3.x, it might use encryption methods that are not recognized or supported by LibreSSL, leading to errors such as “incorrect password” during import, even though the correct password is provided.
Affected Versions
macOS: The issue is prominent in macOS versions that rely on LibreSSL for cryptographic functions. This includes macOS 13.x (Ventura) and potentially other versions that utilize the same cryptographic library.
iOS: Although the specific iOS versions are not directly cited in the sources, the underlying cryptographic issues would similarly affect iOS versions that share the same cryptographic foundation as the affected macOS versions.
Specific OpenSSL Versions
OpenSSL 3.x: The compatibility issues are specifically associated with P12 files created using OpenSSL 3.x due to the changes in cryptographic methods. These changes are not backward-compatible with the older methods expected by LibreSSL, leading to the issues with macOS Keychain Access.
Workaround
Use of-legacyFlag: To create P12 files compatible with macOS Keychain Access, it is recommended to use the -legacy flag when generating the P12 file with OpenSSL. This flag ensures that the P12 file uses older, more compatible encryption methods.