Adding Trusted Root Certificate Authorities to iOS (iPad, iPhone)

As manager of a web administration team, we’ve encountered several teams who have had trouble adding internal Certificate Authorities to iPads and iPhones…  and I don’t blame them, it’s not obvious.

To add private CA certs to your iPhone or iPad, you will need:

  • The iPhone Configuration Utility (windows or mac)
  • Your iPhone or iPad physically connected via cable to said windows or mac machine.  It’s tempting to try to add the resulting .mobileconfig by downloading it wirelessly over a browser, but it will not be trusted.
  • The cert file(s)

Once the above requirements are met, do the following:

  1. Start the iPhone Configuration Utility.
  2. Under “Library”, select “Configuration Profiles”
  3. Click the Add New button on the top left.
  4. Fill out the mandatory general information tab contents
  5. Under the Credentials section, add the CA cert or certs.
  6. Attach your iOS device if it is not already connected.
  7. Select your device in the iPhone Configuration Utility, and select its Configuration Profiles tab.
  8. You should see the profile you just created with an “install” button on the right – click it.
  9. On your device, you will see a profile installation dialog – hit the install button and follow directions.

That’s all, the CA profile should be installed and verified with a geen check.   I hope this helps some of you out there.

This process can also be used to install client SSL certs on the iPad.

WebDAV

One of the up-and-coming web publishing tools is… not what you’d expect! Pretty much anything that can save a file to disk! Anything, that is, that can be extended to save a file with the WebDAV protocol. DAV stands for “Distributed Versioning and Authoring”. This particular topic will house my notes on getting WebDAV set up with my apache server, and getting clients to use it. Currently there’s a pretty extensive list of clients that support it, such as Microsoft Office and OpenOffice. See my notes on OpenOffice and others in the rest of the article…

Apache Setup
For Apache 2.2.0, these are the general settings that are needed/suggested for DAV functionality. (earlier versions of apache also support DAV, I just happen to be on 2.2.0 at the moment)

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dav_lock_module modules/mod_dav_lock.so
DavLockDB /usr/site/www/logs/DAVlock.db
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

Take note with the DavLockDB line – you can’t just create that file and be done, because that file is not even used! It creates a .dir and a .pagfile with that prefix. Best to let apache own the directory the files are in, but you can probably pre-make and chown them…

Next, on a location-by-location basis, enble DAV:

Alias /davtest /usr/site/www/davtest/www
<Directory /usr/site/www/davtest/www>
    Dav on
    AuthType Digest
    AuthName DAV-upload
    AuthUserFile "/usr/site/apache-2.2.0/user.passwd"

    # Allow universal read-access, but writes are restricted to the admin user.
    <LimitExcept GET OPTIONS>
        require user admin
    </LimitExcept>
</Directory>

This is nice – authentication is required for DAV modification methods, but reading, such as is done by the webserver, requires no authentication.

OPEN OFFICE 2.0
The first thing you should do is change the options to use the Open/Save dialogs from OpenOffice instead of Windows (or Linux? I am not sure how they behave) because the Windows ones won’t let you save a new file to a DAV site. Open a blank document and go to Tools - Options - OpenOffice.org - General and check the “Use Openoffice.org dialogs” checkbox.
Now when you save a file (html, text, spreadsheet, etc), when you create the filename, simply enter the full path to the DAV file, such as http://mercury.guyton.net/davtest/testing.html. For saving a file, it’s the same thing, just enter the full path of the DAV site if the browser is not focused there already.

To load an existing file, it’s similar, and I believe works with either the openoffice or windows load dialogs. Better to stick with the openoffice ones though, so you can save new files.

One down side to OpenOffice was that it did not support digest authentication. We had to revert to Basic auth, which does not encrypt the password well. If it’s over SSL, that’s fine, but most users should be able to use HTTP and digest…

This still does not address images, though…. or other random file types.

How to create a favicon

Favicons are the custom images that are displayed in the location bar for websites that create them. They are also sometimes shown in your bookmarks/favorites.

So how do you create them? They are not simple BMP files, but almost. If you have a UNIX machine, you can create a favicon if you have the netpbm package installed. Here is the command to do it, assuming you already have a bmp file of the image you want (16 x 16 pixels):

bmptoppm favicon.bmp | ppmtowinicon > favicon.ico

Streaming Radio on the Net

I want to be able to hear KLOL broadcasts of the Walton and Johnson show, but most of the time I am busy. OK, I could take a radio to work and listen with headphones, but that’s too easy, plus I am still constrained to their playtime. KLOL does not do internet broadcasts due to all the paperwork each timethey play a song. Ho-hum.

Here’s my solution – I bought a $5 radio card for my computer that should run under Linux, and plan to capture radio input from KLOL from 5:30 AM to 10 AM, when W&J is on. Then from there, the MP3s will be put on my streaming audio site, where I can access the broadcasts from anywhere – work, home, vacation, whatever. Kinda like a TiVo for radio. (I wonder if there is already such a thing?)

Depending on the size of the files (I will probably save in 30 minute chunks), I may get a USB disk-on-key and dump them there, so that I am not downloading lots of stuff at work, risking attracting the attention of the surf police.

Anyhow, that’s the plan. The only thing stopping me at the moment is that currently my Linux server is a Compaq, and Compaqs are notorious for not allowing non-compaq cards in their BIOS. I’d have to add some sort of driver or something. Sheesh.

There’s a new Fry’s Electronics opening up near us – once it does, I am going to go get another motherboard and chip to replace a failing Gateway that I have, and fire that one up. Should be sweet…

Apache compile standards

I’ve been spending time at work standardizing our Apache configuration and installs. It’s been fun working out exactly what modules we do/might need and compiling with the right performance enhancers (mpm=worker, enable nonportable atomics, etc).

I went ahead and upgraded the home server last night as well – got to a secure openssl and latest apache, and put a buncha modules as DSOs that I might include in the config later.

What a nice job – getting to work on Apache and open source stuff like that.