After reading through the AFNetworking code & and checking the change logs, here's what I had to do to get this working.
Create your AFSecurityPolicy object with AFSSLPinningModeCertificate:
AFSecurityPolicy* policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
By default, AFNetworking will validate the domain name of the certificate. Our certificates are generated on a per-server basis, and not all of them will have a domain name, so we need to disable that:
[policy setValidatesDomainName:NO];
Since the certificates are self-signed, they are technically 'invalid', so we need to allow that as well:
[policy setAllowInvalidCertificates:YES];
Lastly, AFNetworking will attempt to validate the certificate all the way up the certificate chain, which to me seems like it would only go up the chain to OUR CA, but for whatever reason it doesn't, so we have to disable that too:
[policy setValidatesCertificateChain:NO];
And that's it! Set the security policy in your request manager like you're already doing and it should work fine.
So, recap, all you really need to change in the code you posted is this:
A) As David Caunt mentioned, change your pinning mode from AFSSLPinningModeNone
to AFSSLPinningModeCertificate
and
B) Add the line to disable validating the domain name: [policy setValidatesDomainName:NO]
Another note, AFNetworking now automatically checks your bundle for .cer files, so if you were to rename your certificate to have a .cer extension, you can eliminate the code to get the certificate data out of the bundle and set the pinned certificates.