Afnetworking: How to download a SSL certificate and extract the public key

Created on 16 Apr 2015  Â·  3Comments  Â·  Source: AFNetworking/AFNetworking

I'm using AFNetworking and doing SSL Pinning. Everything is working fine. Now, I need to download a SSL certificate and extract it's public key to generate a string.

So, what I need is:

  • Grab the public key from from a SSL certificate on https://example.com
  • Save this SSL Certificate on my app's bundle
  • Use the public key to generate another string

Any tips?

Most helpful comment

In your Terminal:

openssl s_client -showcerts -connect example.com:443

It will spit out some text, including a certificate chain. Each .pem certificate in the chain looks a bit like this:

-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIIKb4U4/7LHkIwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
... (many lines omitted) ...
Pi2TrNk/2vFUM/4qxWdjC8bmBLOhmDcZjomRbP6hHf4hwo9iS5ng5U+f
-----END CERTIFICATE-----

The first listed in the chain is usually the actual SSL certificate, the last is the root. Select whichever of the certificates you need (including the BEGIN CERTIFICATE and END CERTIFICATE lines) and save each in a file with extension .pem

To actually use it in your app and with AFNetworking, there is one more step. Convert it to DER format:

openssl x509 -in certificate.pem -outform der -out certificate.cer

Take the .cer file and drop it into your Xcode project, and add it to the desired target (it should automatically get added to the "Copy Resources" build phase.) If it is in the DER format and ends with the extension .cer, AFNetworking should find it on its own.

Once you get the certificates in your bundle, you can read them like any file. Look at the AFSecurityPolicy class to see how to extract the key from a certificate.

All 3 comments

In your Terminal:

openssl s_client -showcerts -connect example.com:443

It will spit out some text, including a certificate chain. Each .pem certificate in the chain looks a bit like this:

-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIIKb4U4/7LHkIwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
... (many lines omitted) ...
Pi2TrNk/2vFUM/4qxWdjC8bmBLOhmDcZjomRbP6hHf4hwo9iS5ng5U+f
-----END CERTIFICATE-----

The first listed in the chain is usually the actual SSL certificate, the last is the root. Select whichever of the certificates you need (including the BEGIN CERTIFICATE and END CERTIFICATE lines) and save each in a file with extension .pem

To actually use it in your app and with AFNetworking, there is one more step. Convert it to DER format:

openssl x509 -in certificate.pem -outform der -out certificate.cer

Take the .cer file and drop it into your Xcode project, and add it to the desired target (it should automatically get added to the "Copy Resources" build phase.) If it is in the DER format and ends with the extension .cer, AFNetworking should find it on its own.

Once you get the certificates in your bundle, you can read them like any file. Look at the AFSecurityPolicy class to see how to extract the key from a certificate.

I need to download the certificate in runtime. From my app.

The SSL certificate from my webservice changes from time to time. So, my app (using AFNetworking) needs to download the SSL certificate and extract it's public key.

@hdoria No such functionality exists to download certificates at runtime in AFNetworking, to my knowledge.

For what it's worth, such a feature does not sound entirely sensical, as it appears to rely on an insecure network connection as a basis for creating a secure connection. I would not recommend this approach, and instead find a way to use AFSecurityPolicy as designed.

Was this page helpful?
0 / 5 - 0 ratings