Wednesday, May 29, 2013

SSL failure with DSA certificate on ios

This may come handy testing ios > Remote server over SSL.

SSL connection from ios device to a remote server will fail, if the remote server's certificate's algorithm is DSA. I found this during testing and I don't know if Apple has this documented.

My remote server was a Java server, and used JKS as the keystore format. The Java Keytool by defaults creates DSA type certificates.

To test that having the RSA certificate will get me past the issue. I created a new self signed certificate with JDK keytool with RSA type certificate.  Than I converted the certificate to PEM format and ran openssl server with the PEM certificate. I then connected to the openssl server from the safari browser on the ios device and the connection was successful.

You may ask why didn't I directly create the certificate with openssl in the PEM format, well I used keytool to show a collegue how to convert JKS to PEM.


  1. Create a self signed certificate
    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
  2. Export JKS to PKCS12

    keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12
  3. Convert PKCS12 to PEM

    openssl pkcs12 -in keystore.p12 -out keystore.pem
  4. Launch a test server with openssl command

    openssl s_server -cert keystore.pem -www
  5. Connect to the server from a browser on iOS or from a remote device

    openssl s_client -connect  host:4433


No comments: