Skip to main content
marsmatt
marsmatt
New Member
May 18, 2017
Question

SSL Deep Inspection with iOS devices (iPhone; iPad)

  • May 18, 2017
  • 1 reply
  • 19174 views

Hey Guys, 

 

Hope someone can shed some light on this problem. So I want to enable SSL deep inspection for devices on my network. Windows stations with the CA cert pushed via group policy or installed manually work great and I can control all the aspects I want with deep inspection (safe search, etc...). I also want to provide the certificate to our WIFI users, most of them being students with their own devices.

 

I have the cert provided via download link on the captive portal page for the WIFI. Download link works fine, and Windows users are able to download it, install it and off they go. However, I go through the steps with an iPhone whether I used .cer file, .p12 or .pfx .. the file downloads, I can install it and it tells me the cert is verified but I still get certificate errors when browsing https websites, also app store, etc... won't load. 

 

Any ideas? TIA

1 reply

hmtay_FTNT
Staff
hmtay_FTNT
Staff
May 23, 2017

Hello marsmat,

 

Are you able to browse some sites like let's say https://www.facebook.com on Safari? On iOS, with deep-inspection, you have to exempt some apple domains from deep-inspection because of Certificate Pinning. In the default deep-inspection profile in FortiOS 5.6, we have some default address groups exempted. 

 

With the native iTunes and Apple store, if you do not have the apple domains exempted, they will not work. Can you try adding the exemptions? It is hard for browsers to do Certificate Pinning, therefore, if you want to find out if the installation of the Certificate is done correctly, you can try to access some HTTPS sites on a browser application.

 

HoMing

marsmatt
marsmattAuthor
New Member
May 24, 2017

When I go to an HTTPS enabled site in Safari, such as Facebook, the site simply does not display. When I go to the same sites in Chrome it will give me a certificate warning and allow me to proceed if I choose too. 

 

I will try adding the apple domains to the exemptions and try the App Store, etc...

 

*** EDIT : Exemptions work, I made wildcard entries for *.apple.com, *.appstore.com and *itunes.apple.com  and they now function. If I put an exemption for Facebook (social networking category) it will also work. ***

 

Thanks for the input.

Terms & ConditionsAccessibility statement