Open Radar

 
Summary:
iOS allows identity certificates (a private key and matching certificate in an encrypted PKCS#12 container) to be installed using a Configuration Profile (specifically, the "com.apple.security.pkcs12" payload type).  When an identity certificate is included in a profile, that certificate may have the password included, but it is not required.  If the PKCS#12 file's password is not included in the profile, the user is prompted for the password during profile installation.

It seems to me that iOS is not working correctly when the user has to enter a password to install the identity certificate:  Even if the user enters the correct password, iOS will think that the password was wrong.  This only happens if the PKCS#12 file is part of a configuration profile.  If a .p12 file is installed directly, the password is accepted.

Steps to Reproduce:
1) Run Keychain Access, go to the "Keychain Access" menu, then "Certificate Assistant", and then "Open…".
2) Go through the Certificate Assistant, creating a new self-signed S/MIME certificate for yourself.
3) Export the newly-created certificate and the private key as a .p12 file.  When exporting, set a password.
4) Create a Configuration Profile containing the .p12 file, but _without_ setting the Password attribute.
5) Create a second Configuration Profile, except this configuration profile _does_ have the PKCS#12 payload's Password attribute set.
6) Using email or web, transfer the three files to the iPhone.  Attempt to install each file.

Expected Results:
• For the .p12 file (from Step 3) and the .mobileconfig file without password embedded (from Step 4), iOS should ask for the password.  Once the password is entered, iOS installs the .p12 or .mobileconfig file and makes the key and certificate available to the user.
• For the .mobileconfig file with password embedded (from Step 5), iOS should immediately install the certificate.

Actual Results:
• When installing the .p12 file, iOS works as expected, prompting for the password and then installing the private key & certificate.
• When installing the .mobileconfig file that DOES have the password included, iOS (again) works as expected.
• When installing the .mobileconfig file that does NOT have the password included, iOS will constantly ask for the password, claiming that the password entered is incorrect.