Basically, it works. And it works kinda well.

I work for a CA. We have some internal systems that authenticate with client certificates over https, and I wanted to get them working on my iPhone. You know, for fun.

There’s a thread here on the Apple forums where there’s a few users complaining that certificate-based client authentication doesn’t work - so here’s how I did it.

• You can’t request a certificate on the iPhone. Despite ‘desktop’ Safari supporting the <keygen> HTML tag, Mobile Safari doesn’t.

After I figured this out, I had to find out how to get the certificate onto the phone. The Enterprise Deployment Guide pdf from Apple showed how you could get a tool to do it, or how the phone would download it from a webserver (check your webserver has the right MIME types set for .p12 and .pfx files!) or when emailed.

So, I emailed myself a test .p12 and a test .pfx. The formats are similar, PFX being Microsoft’s implementation I got from an XP machine, the .p12 via a cert obtained in Firefox.

Tapping the file gets you a nice dialog with an ‘Install’ button, and clicking this asks for the file password. Once it’s installed, the certificate is visible in the ‘General’ settings area. Note that you can import root certs (sans private keys) this way too, to make your own internal CA work.

Once you then use Mobile Safari to browse to a site requiring a certificate for authentication, you get a nice dialog telling you - and it works! If you have more than one cert then it’ll even ask which one to use. Nice one Apple. Shame they don’t have the ‘Identity Preferences’ of the Keychain on Leopard where you can pre-assign a cert to a site, but that’s nitpicking. Get the <keygen> tag fixed, and we’re good, Apple.

Feel free to use my test site:

http://client.nickf.net/

Visit the HTTP site first to get the root and the test .p12 (both served with the correct MIME type) and then visit the HTTPS site to test.

Check my contact details if you want to give/get any feedback.