8

I’ve deployed some Radius servers (Windows Server 2012 R2 with NPS). They use PEAP-MSCHAP-V2 for authentication with a SAN Go Daddy Certificate. They are deployed in order to handle Wi-Fi connections.

The certificate works with all my devices Windows, Android but when I try to authenticate with an iPhone (iPhone 6s Plus, iOS 10), it says that the certificate of the server is “Not safe”/“Not verified” and I have to acknowledge it before attempting to connect. Then the authentication works but I would like my colleagues to be able to authenticate with their iPhone without acknowledging this certificate.

Firstly, I thought that the certificate was faulty but as I said it works with all my other devices. Moreover, I’ve checked the certificate itself and the common name, the DNS and all the relative data are correct.

I know that it is possible to import certificates in iPhone but GoDaddy! is a "Trusted Root Certification Authority" so i shouldn't have to do anything.

Is there any reason why why an iPhone wouldn't trust a GoDaddy! certificate?

P.S.: I’ve tested with an other iPhone (iPhone 6s, iOS 10) and it doesn’t work on that one either.

Giacomo1968
  • 3,522
  • 25
  • 38
XSP
  • 83
  • 1
  • 1
  • 5
  • 1
    Run your domain through https://www.ssllabs.com/ssltest/analyze.html and see what the report says. – ceejayoz Dec 19 '16 at 14:10
  • 2
    Thank you for your answer, but my servers are not reachable from the exterior and they are not webservers neither so i cannot use your link. – XSP Dec 19 '16 at 14:17
  • 1
    Might be similar: http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java/21117993 – SnakeDoc Dec 19 '16 at 18:34
  • I edited your post for copy edits and grammar, but was a bit confused by what is meant by “They are deployed in my society in order to handle Wi-Fi connections.” So hopefully my edit to that kept the spirit of that sentence intact. – Giacomo1968 Dec 20 '16 at 00:20

1 Answers1

17

This means that iOS does not trust the publisher of your certificate, but as you've mentioned, there is a GoDaddy root certification in the iPhone.

What this probably means is that your RADIUS server is not sending its intermediate certificates. The Windows and Android devices probably already have this intermediate certificate trusted, but your iOS devices don't.

You can find someone else having the same issue here.

There isn't much you can do about this, apart from pushing the intermediate certificate into the trusted publishers store on the iOS devices.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • 3
    While I'm not familiar with iOS devices, GoDaddy certificates, or RADIUS servers, shouldn't it be possible to append the intermediate cert to the GoDaddy cert so it's sent with all connections, and thus the iOS devices would follow the GoDaddy cert to the intermediate cert, and then see that the intermediate cert is signed by the trusted root cert? – Doktor J Dec 19 '16 at 21:08
  • 1
    @DoktorJ not with NPS unfortunately (this is discussed in the link I included in my answer). Normally though, you would be correct. – Mark Henderson Dec 19 '16 at 21:14
  • FWIW, the specific—but generic—GoDaddy! support document on this can be found here: [“What is an intermediate certificate?”](https://www.godaddy.com/help/what-is-an-intermediate-certificate-868) – Giacomo1968 Dec 20 '16 at 00:23