Installing certificate in iOS Simulator trust store (NSURLErrorDomain Code=1202)
Error Code 1202 is always a bummer: your server certificate is untrusted. Untrusted server certificate errors can be a pain on iOS simulators; the cert install capabilities have improved incrementally over iOS 6/7/8, but seem to be inconsistent from one xCode release to the next. The standard community approach continues to be to disable TLS security features in your code, which eliminates the server trust guarantees. But this opens security holes which you must close before shipping or distributing test clients to your end users.
Apple published a technical note on HTTPS Server Trust Evaluation, in which it references these common community recommendations, and disabuses them with stern warnings. It’s official recommendation is to fix the problem on the server for an invalid certificate, or for an unknown certificate authority, to include a copy of the certificate from a Custom Certificate Authority in your application, create a certificate object, then set the certificate as the trusted anchor for the trust object.
If you plan to package the server certificate in your application in production, then this approach is of course fine. But if your certificate will already be installed on-device, through a MDM profile, etc., then a shortcut for development in the simulator is to install the certificate in your simulator’s ‘device’ trust store. This does not compromise the integrity of the TLS verification framework, nor require additional ‘simulator-only’ code. It takes about 3 minutes.
Note: this methodology is not supported by Apple or SAP, and could be broken in the future by incompatible changes on xCode and iOS Simulator. It has been confirmed to work on iOS 5, 6, 8.0/8.1.
1. Get a copy of the certificate from the server.
- Navigate to a page on the server in Firefox
- Click on the ‘lock’ icon in the navigation bar, and click ‘More Information’ to see the ‘Security’ tab
- Click on ‘View Certificate’ link, then switch from the ‘General’ view to the ‘Details’ view
- In the ‘Certificate Hierarchy’ window, select <the cert name>, then click ‘Export…’
- Save As: CertName.pem (add the .pem suffix to the file name, as well as setting the format to PEM)
For some sites, you may be able to drag & drop the .pem file onto the screen of your iOS simulator, click “Install” when prompted, and operate as desired. It’s worth a try.
If this does not resolve the issue, continue as follows:
2. Download an open source python script by the team at ADVTOOLS. Extract the iosCertTrustManager.py file
3. Run the iosCertTrustManager.py file, giving it the location of the certificate to be installed on your simulator.
i826181$ python iosCertTrustManager.py -a ~/Documents/SAPNET_CA.pem
subject= C = DE, O = SAP-AG, OU = SAP-AG, CN = *.wdf.sap.corp
Import certificate to Resizable iPad 8.1 [y/N] y
Importing to /Users/i826181/Library/Developer/CoreSimulator/Devices/20BECA4E-76F5-4660-A190-C0F3BF021EF9/data/Library/Keychains/TrustStore.sqlite3
Import certificate to iPad Air 8.1 [y/N] y
Importing to /Users/i826181/Library/Developer/CoreSimulator/Devices/977AB354-C155-42C6-99BC-F52C330D1D48/data/Library/Keychains/TrustStore.sqlite3
Existing certificate replaced
Import certificate to iPhone 6 Plus 8.1 [y/N] y
Importing to /Users/i826181/Library/Developer/CoreSimulator/Devices/A8361243-2B2A-487E-81EE-F86C9EE9A920/data/Library/Keychains/TrustStore.sqlite3
Import certificate to iPhone 6 8.1 [y/N] y
Importing to /Users/i826181/Library/Developer/CoreSimulator/Devices/B67C61CA-4CFA-4D19-AB84-431150BAF59F/data/Library/Keychains/TrustStore.sqlite3
Existing certificate replaced
You will be prompted to install the certificate on each simulator which you’ve run.
At this point, try hitting your server, from the application: you should be able to complete the SSL handshake.
Note: ADVTOOLS is not (known to be) an affiliate of SAP.