English (GB) Deutsch

Articles in this section

Swyx Mobile for iOS and iOS 13

Avatar
Michael Kreicarek
  • Updated

Information:

Due to the security measures required in certificate handling since iOS 13, it may happen that an iPhone cannot access SwyxWare with Swyx Mobile for iOS via the remote connector or locally after an update to iOS 13.

This can occur with self-signed certificates as SwyxWare can generate and also with issued certificates of a public certification authority.

The necessary parameters a certificate must have are explained by Apple on this page:

https://support.apple.com/de-de/HT210176

 

Important: This refers exclusively to the certificates used for public access to port 9101 (Web service authentication endpoint) and Port 9100 (RestAPI Full).

The certificates existing on the clients (SwyxIt! client) or the Swyx-Mobile clients or MacOS client do NOT have to be reissued because they are not affected by the change listed here!

*** Please do not modify other Certificates ***

These certificates (see administration manual) can be an own certificate and does not have to correspond to the certificate used by SwyxWare to generate the certificates for remote connector access. If no own certificate is used, the certificate used in the Config Wizard will be used (either self-signed by SwyxWare or a public signed certificate).

If a public certificate is used, which corresponds to the above information from Apple, no changes on SwyxWare are necessary. 

If no own certificate is used, a valid certificate according to the Apple guidelines can be generated with the following steps.

Run "netsh http show sslcert" to print a list of the certificates and the respective ports. The relevant bindings are to port 9101 and 9100

mceclip0.png

For the next steps we need the values certificate hash (a4711....54568) und Application ID (026.....fcaa)

  • Select Run from the Start menu, and then enter certlm.msc.
    The Certificate Manager tool for the local device appears.

  • Expand the Personal/Certificates folder to show a list of the local certificates

    mceclip1.png

  • Double-click one of the elements with "Issued To" equals the server host name ('SWYX-MK-W19' in this example) and select Details/Show: Properties Only

mceclip2.png

  • If the "Thumbprint" value matches the "Certificate Hash" value from step 1. the correct certificate is selected

  • To create a new certificate to match the requirements we need to lookup the host FQDN and the remote connector FQDN
    Retrieve the host FQDN via powershell
    [System.Net.Dns]::GetHostByName(($env:computerName))
    The value "HostName" will provide the FQDN needed

    The remote connector FQDN is shown by SwyxWare Administration by Properties/RemoteConnector/Authentication Server

    mceclip3.png

  • By this information a new certificate can be created with the following powershell commands.
    In order to be able to connect independently of IP address (if no local DNS server is available) as well as names, it is advisable to also list the IP addresses in the SAN (Subject Alternative Names).
    > $todaydt = Get-Date

    > $ValidUntil = $todaydt.AddDays(800)

    > New-SelfSignedCertificate -DnsName "<host FQDN>","<remote connector FQDN>", "local IP-Address", "Public IP-Address" -notafter $ValidUntil -CertStoreLocation cert:\LocalMachine\My
    If you are using a Microsoft Windows Server 2012 r2, Powershell does not yet understand the term "-notAfter". Therefore, please use the following entry (the certificate is valid for 1 year):
     
    > New-SelfSignedCertificate -DnsName "<host FQDN>","<remote connector FQDN>", "public IP-Address", "local IP-Address" -CertStoreLocation cert:\LocalMachine\My
  • If the new certificate was created a summary including the thumbprint is shown

    mceclip4.png

  • Additional hint: a list of the certificates with thumbprint and subject can be shown by the command "ls Cert:\LocalMachine\My\"

    mceclip5.png

  • The current certificate must be detached and the newly created certificate must be bound to the port 
    Run "netsh http delete sslcert 0.0.0.0:9101" to detach the current certificate from port
    > netsh http delete sslcert 0.0.0.0:9101

    SSL Certificate successfully deleted
  • Attach new certificate to port with application ID from step 1 and thumbprint from creation output
    83EE919AACD1208EA4843ECE622129363FA8A3A1
    netsh http add sslcert ipport=0.0.0.0:9101 certhash=83EE919AACD1208EA4843ECE622129363FA8A3A1 appid="{02661bfd-19e4-498e-bc21-56d6ba84fcaa}"

    Das SSL-Zertifikat wurde erfolgreich hinzugefügt.
  • Confirm binding the certificate to port by repeating step 1

    netsh http show sslcert
    mceclip7.png

Please do the same steps again for Port 9100. Keep in mind and doublecheck that you use the correct AppID and CertificateHash for this port.

Now the phones running iOS13 should connect without errors

Related articles

Comments

0 comments

Article is closed for comments.