Cannot install and trust personal root certificate authority

Discussion in 'iOS 11' started by AlecEdworthy, Sep 17, 2017.

  1. AlecEdworthy macrumors 6502

    AlecEdworthy

    Joined:
    May 1, 2007
    Location:
    Leicestershire, UK
    #1
    Hello,

    I have my own SHA256 certificate which I use for signing the certificates which are used on my own servers (HTTPS and SMTPS). Under iOS 10 and earlier I installed the certificate by downloading it and it installing it like you would do a normal mobile configuration profile and it appeared under Settings, General, Profiles. Under the iOS 11 GM the certificate downloads and installs in the same manner as before but with the additional security of iOS 11 (and newly installed certificates under iOS 10.3.3 IIRC) you need to switch on the trust of newly installed root CAs in Settings, General, About, Certificate Trust Settings. However, my own root CA is not appearing in the list there. Others which were installed as part of managed wifi profiles are in that list but not my own one. My best guess is that because my certificate is "untrusted" it doesn't appear but as the certificates for the managed wifi profiles were introduced as part of a properly signed mobileconfig profile they do appear. Seems a little chicken and egg to me. Has anyone else tried installing their own root CAs? If so did you get it working?

    Yes, I know I *could* get a certificate signed by Let's Encrypt or similar but I'd like to get my own CA working again.

    Thanks, Alec
     
  2. Dave-Z macrumors 6502a

    Joined:
    Jun 26, 2012
    #2
    I run my own CA for internal purposes as well. After installing the CA's public certificate I enable it in About as you detail. If yours is not showing up perhaps perhaps it's missing a specific attribute that Apple is looking for? I know this is frustrating and challenging because the amount of information Apple provides about this type of stuff is next to nothing.

    For what it's worth, I have been using the EasyRSA tool (from the OpenVPN guys) for my certificate management and have not really had any issues. I do not install the certificate directly however; I installed it within its own mobile configuration profile (pretty much just the root CA in that particular profile).

    I know this isn't much help, but I at least wanted to let you know that private CAs do still work in iOS 11 (in truth, they'd have to because corporations use this kind of thing as a routine part of their security management).
     
  3. AlecEdworthy, Sep 17, 2017
    Last edited: Sep 17, 2017

    AlecEdworthy thread starter macrumors 6502

    AlecEdworthy

    Joined:
    May 1, 2007
    Location:
    Leicestershire, UK
    #3
    Found the issue, my CA is missing a CN field. Not essential for signing other certificates (I've been using the CA for two and a half years) but clearly enough to stop iOS from recognising the certificate as a valid CA. Time to make myself a new CA and then re-sign my child certificates with it :mad:

    Thanks Dave-Z :)

    [Edit reason: Mangled two replies into one]
     
  4. Dave-Z macrumors 6502a

    Joined:
    Jun 26, 2012
  5. littleredwagen macrumors member

    Joined:
    Aug 20, 2010
    #5
    I had a lot of trouble with a self signed certificate as well. I wound up apple configurator to force install it, but it was a pure PITA
     

Share This Page

4 September 17, 2017