IPad – How to configure an iPad to use EAP-TLS

certificateipadNetworkSecuritywifi

I try to connect an iPad (iOS 11.3.1) to a WiFi network which uses EAP-TLS. There is no way to specify EAP-TLS mode because of the lack of the certificate, so I need to import the certificate first.

I copied the client certificate to the device, and now, I want to install it. According to a few websites I checked, it seems to be easy:

Open the certificate file on the device. IOS will recognise the file as a certificate file, and begin the import process. Tap install.

Source

All Apple iPads and iPhones support PKCS1-formatted X.509 certificates, stored in files ending with .crt, .cer, .pem or .der.

Source

However, I'm clueless as what exactly I should do once I downloaded the certificate file on the tablet. It allows me to do a bunch of actions such as store it in Google Drive, but there is nothing which could look like an import tool, and it doesn't look like the device recognized the PEM file.

What should I do to make the device recognize PEM certificates?

Best Answer

CONFIGURING EAP-TLS AUTHENTICATION on IOS DEVICES:

Instructions were developed using IOS 11 and IOS/iPADOS 13.3 to configure both iPhones & iPads for EAP-TLS authentication using certificates.

If you wish to learn how the certificates were generated- or how to configure the EAP-TLS Authentication on the router's side (using a MikroTik)- please go HERE.

PROCESS OVERVIEW:

A) Configure Certificates:

For each device we will in turn: - Download and configure the CA certificate - Download and configure the Client Certificate

B) Configure Authentication:

Once the certs are in place and configured on the device, we next configure the wireless network connection that uses them.

C) Configure Connection:

Configure the WiFi connection to use EAP-TLS

PROCESS:

Configure CA CERTIFICATE:

  1. Open Safari on your iPhone/iPad and navigate to where your certificates live. Do NOT use any other web browser!! Safari will identify them as certificates and offer to install them.

Download CA cert to IOS Device There are (2) certs we'll be working with: The CA cert & Client cert

  1. Download CA Certificate FIRST: "cert_export_CAF1Linux***.crt***" NOTE the ".crt" file extension. Choose "Allow" when prompted.

Safari Dialog downloading CA Cert

Profile Download Feedback

Configure CA PROFILE:

  1. Navigate to: "Settings" > "General" > "Profiles"

Settings > General > Profiles

  1. Go to the CA certificate which appears as a "Downloaded Profile" and click it:

Go to the CA Cert

  1. Click "Install" at top-right corner of screen

Profile Install Dialog

  1. Enter device's 6 digit pass code:

Passcode dialog screen

  1. Ignore warning displayed (we created the cert after all) and click "Install":

Install Warning Dialog for CA cert

Post-Install Warning Dialog

  1. Click "Done" in top right corner of screen.

Finish CA Profile Install

  1. Verify the CA certificate installed successfully.

Configure CLIENT CERTIFICATE:

  1. Go back to Safari and download the CLIENT certificate's pkcs12 cert which has the extension ".p12" to the IOS / iPADOS device. Choose "Allow" when prompted.

Download Client Cert Dialog

Profile Download Feedback

Configure CLIENT PROFILE:

  1. Navigate to: "Settings" > "General" > "Profiles" and choose the Client cert which appears as a new "Downloaded" profile and click it:

Download CLIENT cert to IOS Device

  1. Install Client Cert:

Install Client Cert

Enter Passcode

Install Warning Dialog

Click Install for the millionth time

  1. This time you'll be prompted to enter the passphrase the pkcs12 Client certificate was exported with. "Next" in top right corner will become active after successfully entering passphrase; click it.

Enter Passphrase PKCS12 Client Cert exported with

  1. After installing, the cert will initially display an incorrect status of "Not Signed". Ignore this. When we check it again it will show a status of "Verified":

Incorrect status initially shown

  1. Click "Profiles" to go back to main "Profiles" screen and choose the Client certificate profile.

Main "Profiles" Screen

  1. The Profile now reflects the correct status "Verified":

Correct Signed Status Displayed

WARNING:

Only proceed to next step "Configure AUTHENTICATION" after installing BOTH certs and each one's status report "Verified". You will be wasting your time trying to connect if this step is not completed properly. And pulling out large amounts of hair in frustration...

Configure AUTHENTICATION:

This example uses a hidden network. Go to "WiFi" > "Other Network" to begin setting the connection parameters for the EAP-TLS SSID. Your connection parameters should look as below:

WiFi Config Settings

Client AUTHENTICATION:

When you finally connect, you'll be presented with a warning to "Trust" a certificate. This will be the cert used by the Wireless Interface:

Cert Warning of Wireless Interface

That's it, you're done.

Related Question