I added production certificates to my app and it works well. But now I would like to validate the identity before making any API call. I want to be able to validate the server before making a POST with username and password. That way I can prevent the user beforehand.
Is there any way of doing that or should I just request the server to create a public method for this purpose only?
I think the question you're asking is: "Does AFNetworking have any automatic detection and validation code built into it?", and the answer is "As far as I know, no." That leaves you looking at manual options, as you pointed out in your question.
Some options that come to mind:
If your server and server-side application support it, you could make a HEAD or OPTIONS HTTPS request to validate the server's secure connection before posting data to it. Be aware that it will increase network traffic, so on slow network connections it may add a perceptible delay to the user experience. You can mitigate this by caching the result, and performing the network check in the background from time to time. The bandwidth required by those request/response conversations is quite small, as they typically send only HTTP headers, not a payload.
The tricky part here is "If your server and server-side application support it". Both methods should be supported by modern server platforms, but the application endpoint must be configured to respond appropriately to those methods. (That is, a server application may be configured to respond only to POST requests, and reject everything else.)
The only way to know for sure is to try, but make sure you coordinate the usage of this method to ensure your server team knows it's a required use case for you. Otherwise, you run the risk of using an undocumented method that someone will close in the future because they didn't know anyone was using it.
Failing that, you could of course do just what you suggested--ask the server application to create a public ping endpoint that responds to HTTP GET requests with a small (or no) payload and an agreed-on HTTP response for success (200 OK is common). This is often used for health checks, and has the additional benefit of letting you alert the user that the server is reporting health issues (irrespective of the validity of the secure connection) prior to making a request.