Search code examples
iosmdmota

How to remove certificate/key from iOS device created through SCEP

As part of testing an SCEP server, I have been sending a lot of SCEP requests to my iOS device to create RSA key pairs.

During the course of the enrollment process, some of the CSRs have actually been signed by the SCEP server and returned back to the device.

However, I would like to remove the old keys / certs from the device to start fresh, as the certificate list in the device is way too long (imagine how many trial&error steps I have gone through).

Problem is, some of these certs do NOT show up under Settings/General/Profile. They ONLY show up when I go to a VPN entry and select Certificate as the authentication method.

QUESTION:

Is there way to ask an iOS device to remove the keys / certs from its KeyChain?

Solution

  • In the end, I came up with 2 options:

    1. Perform a full reset of the device from Settings / General / Reset / Erase All Content and Settings. Very destructive, but will give you a clean start. Doing a restore after that is also out of the question, since you would get the bloated keychain DB back again.
    2. If you have a jailbroken device, do some brain surgery!

    On a jailbroken device, one can use the Keychain Viewer application (version 0.4) to help the process. Here's how I did it:

    1. Install Keychain Viewer on iOS device (download .deb file locally, transfer to iOS device, and do dpkg -i keychainviewer0.4_beta.deb)
    2. Install sqlite3 on iOS device (apt-get install sqlite3)
    3. Open Keychain Viewer application on the iOS device; from the Certificates list, find the certificate you would like to delete.
    4. Note the rowid of the item.
    5. Change keychain DB file rights so that it is writable: chmod u+r /private/var/Keychains/keychain-2.db
    6. Start sqlite3 command line client on iOS device: sqlite3 /private/var/Keychains/keychain-2.db

    WARNING: BELOW LINES ARE DESTRUCTIVE!

    BACKUP YOUR ENTIRE Keychains DIRECTORY. BETTER YET, TAKE A BACKUP OF YOUR ENTIRE DEVICE IN CASE THINGS GO WRONG.

    PROCEED AT YOUR OWN PERIL!

    1. DELETE FROM keys WHERE labl IN (SELECT DISTINCT(labl) FROM cert WHERE rowid=_row_id_you_want_);
    2. DELETE FROM cert WHERE rowid=_row_id_you_want_;

    Another version of this is based on the Issuer of the certificate that you want to delete. In that case, you would do the following:

    1. From Keychain Viewer, again, find the rowid of the certificate you would like to delete.
    2. Following commands all in sqlite3:
    3. SELECT quote(issr) FROM cert WHERE rowid=_row_id_you_want_;
    4. This will give you something that looks like this: X'F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0' This is the hex notation of the issuer name's binary blob as stored in the Keychain DB (I think this is the encrypted form).
    5. DELETE FROM keys WHERE labl in (SELECT DISTINCT(labl) FROM cert WHERE issr=X'F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0');
    6. DELETE FROM cert WHERE issr=X'F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0');