April 4, 2018

swift-nio SSL Certificate Generation

Apple has released a new project for non-blocking io, appropriately named swift-nio

It also released some SSL helpers for the project that allow you to create servers with encrypted communication channels.

swift-nio is quite new and Apple appears to be doing quite a bit of work on it. That means that documentation is pretty sparse for somethings at the moment.

One of those things is how to generate an SSL certificate for use with swift-nio

Below you will find instructions on how to do so

macOS instructions

Below are instructions for using native macOS tools for certificate generation

  1. Open Keychain Access

    Keychain Access Window

  2. Under the Keychain Access Menu Bar

    Select Certificate Assistant and then Create a Certificate Authority... Keychain Access Menu

  3. Fill out the form.

    You can set the name to whatever you want. Change User Certificate to SSL Server

    Keychain Access Creation Form

    Now press Create

  4. Press Show Certificate Authority

    Creation Aftermath

  5. A Finder window will open

    The file with the .pem extension is your certificate. Finder windows

  6. Go back to “Keychain Access”

    Search for what you named the CA in step #3 Keychain Cert Search

  7. Export the private key

    Right click on the private key and choose Export Export the cert

  8. Save the file

    Ensure the file is saved in p12 format Save the private key

  9. Open Terminal

    Run the following command using replacing the keyname where appropriate: openssl pkcs12 -in INSERT_KEY_NAME_HERE.p12 -out INSERT_WHAT_YOU_WANT_HERE.pem -nodes -clcerts Convert to pem

  10. Enjoy encrypted channel comms

    You can know take the certificate and private key and use them with your swift-nio server wow

Configuring the swift-nio client

While the above will produce a certificate/key you can use with your servers, you may notice that an SSL can't verify error gets generated after trying to connect.

This is because the default TLSConfiguration settings force CA verification.

Since the cert you have is self signed, you have two options

  1. Add the CA to your trusted roots

  2. Tell the client not to verify the cert.

I won’t go into details into Option #1 as that can cause all sorts of new problems for folks reading this.

So instead, here is a snippet you can use to make your client work:

let configuration = TLSConfiguration.forClient(cipherSuites: defaultCipherSuites,
                                     minimumTLSVersion: .tlsv1,
                                     maximumTLSVersion: nil,
                                     certificateVerification: CertificateVerification.none,
                                     trustRoots: .default,
                                     certificateChain: [],
                                     privateKey: nil,
                                     applicationProtocols: [])

The key part is the certificateVerification argument in the initializer.

It is set to .none to bypass verification.

© krad.io 2017