After spending all day setting up Bitwarden I ran into a roadblock getting the iOS app to work with it. I get an SSL error because my cert doesn’t have the EKU value they want. I use OPNsense for my CA, and it doesn’t have the ability to generate this value on a cert as far as I can tell. I really don’t want to stand up another CA just to get this one app working. It’s the only thing I’ve found a hard block on with using my internal CA in all my years of homelabbing.

The hilarious thing is that Safari on the same device will connect to my Bitwarden website with no issue - it thinks the cert is fine. Way to go, Apple.

This is mostly just a rant against Apple, but it would be nice if Bitwarden could bypass this by allowing you to trust your own cert inside the iOS app so you’re not beholden to Apple’s stupid requirements.

  • @CarbonatedPastaSauceOP
    link
    English
    16 months ago

    Resurrecting this ancient post of mine to say that I finally figured this out. The problem was that my internal certificate on the Bitwarden server had a validity period of several years. When I read an article about the time limitations Apple imposed in iOS for certificates, it clicked that this might be the problem even though the errors I was getting were seemingly unrelated.

    Sure enough, I changed the cert to one with a 1 year expiration and the app works fine on my iPhone now.

    Just posting this in case anyone else stumbles across this post after seeing the same kind of errors. I still don’t like that Apple arbitrarily imposed this limit on my own device with my own server and my own CA, but it’s easy enough to work around.