You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Celia Wessen
Celia Wessen Author
User level: Level 4
1,316 points

iOS 13 Self Signed SSL certificate updates in Mail

As everybody should know by now, the Mail app in iOS 13 will no longer support legacy SSL certificates using SHA1. Therefore old time admins like me were awoken from our deep slumber to regenerate SSL certificates on legacy systems - like those running OS X Server 10.5. Yes, "5"; not "15".


I have generated new SHA256 certs with a RSA key of 2048bits with a life of 825 days. I'm not sure if the ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID is implemented correctly, but the OID shows up when I read the certificate.


I'm having problems with iPhones updated to iOS 13.0 not being able to accept the newly generated certificates. The Mail app tells me, "Cannot Verify Server Identity" and gives me the choice of Cancel, Details, or Continue. In iOS 12.x, I could tap "Details" then a detail screen would appear with a "Trust" link on the top right corner. Alas, tapping on the "Details" has the no effect. It will not open a detail screen.


I'm wondering if this is an issue with iOS13 or if I'm missing something on the server side. What kind of request is iOS Mail sending the server to verify the SSL certificate and how does the server need to reply?

Servers/Datacom

Posted on Sep 22, 2019 6:52 PM

Reply
Question marked as Top-ranking reply
User profile for user: Celia Wessen
Celia Wessen Author
User level: Level 4
1,316 points

Posted on Jan 7, 2020 12:22 PM

I can now confirm that self signed certificates can be manipulated to include Key Usage ( 2.5.29.15 ), Extended Key Usage ( 2.5.29.37 ), and Subject Alternative Name ( 2.5.29.17 ) and iOS 12~13 and OS X 10.12~10.14 will accept it. The only hiccup will be your iOS device. It must forget ALL CERTIFICATES WITH THE OLD DATA. That is, if you have a SSL connection to www.example.com for imap, smtp, pop, calendars, contacts, notes; all of those services must forget the old certificate to www.example.com. You may end up deleting every account on your iPhone that connects to example.com and start over. This was a big hassle for my admins' iPhones with dozens of e-mail and calDAV accounts. I was going crazy looking for the last service that still connected using the old SSL cert. It was an SMTP setting under a virtual domain mail.foobar.com -> mail.example.com that I no longer used.


Good luck!

View in context

Similar questions

11 replies
Question marked as Top-ranking reply
User profile for user: Celia Wessen
Celia Wessen Author
User level: Level 4
1,316 points

Jan 7, 2020 12:22 PM in response to Celia Wessen

I can now confirm that self signed certificates can be manipulated to include Key Usage ( 2.5.29.15 ), Extended Key Usage ( 2.5.29.37 ), and Subject Alternative Name ( 2.5.29.17 ) and iOS 12~13 and OS X 10.12~10.14 will accept it. The only hiccup will be your iOS device. It must forget ALL CERTIFICATES WITH THE OLD DATA. That is, if you have a SSL connection to www.example.com for imap, smtp, pop, calendars, contacts, notes; all of those services must forget the old certificate to www.example.com. You may end up deleting every account on your iPhone that connects to example.com and start over. This was a big hassle for my admins' iPhones with dozens of e-mail and calDAV accounts. I was going crazy looking for the last service that still connected using the old SSL cert. It was an SMTP setting under a virtual domain mail.foobar.com -> mail.example.com that I no longer used.


Good luck!

Reply
User profile for user: Celia Wessen
Celia Wessen Author
User level: Level 4
1,316 points

Oct 2, 2019 9:12 AM in response to MultiMats

Yes, that will be a temporary workaround to non-sensitive e-mails not requiring SSL/TLS


No, updates to iOS will not solve this issue. The server must be updated to issue and answer SHA2 requests. Users on legacy servers that cannot be upgraded any further from SHA1 era OpenSSL (like older OS X Server) must be migrated to a new server.


Please take a look at this link

https://support.apple.com/en-us/HT210176

Reply
User profile for user: _-Michael-_
_-Michael-_
User level: Level 1
17 points

Dec 3, 2019 4:31 PM in response to Celia Wessen

I can confirm that it IS possible to get a self-signed certificate working well with iOS 13.2.3 Mail, Calendars (when using CalDAV) and Contacts (when using CardDAV).


It took me a lot of trial and error. The two parts to the task are 1) getting the new certificate right and 2) using the right way to get the certificate accepted by the iOS device.


I've described the detailed steps I used here: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html. There are likely to be variations, depending on your server.


To get the certificate accepted, I found the convenient way for me was to email the .crt file to the iOS device, and then double-click the attached file in the email message. Then go to Settings, and proceed to the category for "Downloaded Profile" (which magically appears near the top) and install and trust it. Then, very important, you must also go to Settings App > General > About > Certificate Trust Settings and enable the certificate, as described in Trust manually installed certificate profiles in iOS and iPadOS - Apple Support.


If you see the dreaded Cancel / Details / Continue dialog at any point, it means the certificate was not installed correctly. Also, I found none of the buttons in that dialog useful for permanently accepting the cert.


To generate the certificate, I used the openssl command line utility on my Linux (CentOS 7) server; the steps are probably different for someone using an OS X server so I won't summarize the ones I used here. However, the best tip I can give is to use this openssl command afterwards to check the certificate:


openssl x509 -text -in example.crt -noout


You should see lines like this to verify that at least these two of the new requirements (Requirements for trusted certificates in iOS 13 and macOS 10.15 - Apple Support) have been met:


        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:example.com
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
Reply
User profile for user: Celia Wessen
Celia Wessen Author
User level: Level 4
1,316 points

Oct 2, 2019 12:30 PM in response to da dok

You don't need to fully delete the account off the device in case you have a 100GB mail store that you don't want to take 12 hours to restore:


  1. Open Settings > Passwords & Accounts > account_name > account > Advanced
  2. Turn OFF Use SSL
  3. Tap Account on the top left of the screen to go back one window
  4. Tap Done on the top right of the screen to save the settings
    1. This will have cleared the stored certificate info in the cache
  5. Tap Advanced
  6. Turn ON Use SSL
  7. Tap Account on the top left of the screen to go back one window
  8. Tap Done on the top right of the screen to save the settings
  9. Exit Settings


Now, when you check your Mail.app, it will warn "Cannot verify..." with a cleared cache. Still, the Details button does nothing - tap Continue.


Hopefully, updates to iOS will let users manage SSL/TLS certs better; Maybe like OS X's Keychain Access for iOS.

Reply
User profile for user: JegorSchiputin
JegorSchiputin
User level: Level 1
4 points

Oct 6, 2019 12:53 AM in response to Celia Wessen

Use of self-signed-certificates on IPAd 13.1.2 is broken.

I used the same Certificate on iPhone (iOS 13.1.2), there the Account works.


  1. Download your Certificate; i use to distribute the CERT with my webserver (*.crt works fine)
  2. Import Certificate to Profiles, look @Settings/Profiles, enable the profile there
  3. then go to Settings/Info/Certificate-Trust (bottom of page) to enable Trust of the Certificate
  4. enable certificate trust
  5. make a new mailaccount, choose, if you ask for, manual
  6. make all settings, safe the setting (never look for details, there arn't any)
  • on iPhone: green marks appearing
  • on IPad: Failure (same OS Version)


Result: Account works on iPhone, not on iPad


Sometimes it is not a question of certificate (only a bug in iOS).


:-)


In SAFARI, booth devices are working (website with self-signed-cert shows no warning .



Reply
User profile for user: PHSchmidt
PHSchmidt
User level: Level 1
4 points

Oct 9, 2019 6:58 AM in response to Celia Wessen

Disclaimer: I am NOT an openssl, TLS, SSL, or security expert of any kind. I cobbled the recipe below together yesterday, and it is working for my needs. It may not be secure, use at your own risk, flames about my ignorance cheerfully ignored.


Thanks to Celia, I got it done using openssl. Here's what I did:


  1. Made a simple config text file using an example from another post and hints from here (fill in your details between the <brackets> to customize for your use):


csr_details.txt


[req]

prompt=no

req_extensions=req_ext

distinguished_name=dn


[dn]

C=<your country code, e.g. US>

ST=<your state or region name>

L=<your city or town>

O=<your organization name>

OU=<any sub name like a division of your organization>

emailAddress=postmaster@<your domain>

CN=<server name you will point your email clients at>


[req_ext]

subjectAltName=@alt_names


[alt_names]

DNS.1=<server name you will point your email clients at>


Used this openssl command to generate cert and keyfile - I use dovecot as my IMAP server, hence the names - you can pick your own names:


openssl req -newkey rsa:2048 -sha256 -x509 -new -days 824 -nodes -out certs-dovecot.pem -keyout key-dovecot.pem -config <( cat csr_details.txt )


I copied the two files to my Linux server, then as root I stopped dovecot with /etc/init.d/dovecot stop, mv'd certs-dovecot.pem to /usr/share/ssl/certs/dovecot.pem (change this path for your IMAP server particulars), mv'd key-dovecot.pem to /usr/share/ssl/private/dovecot.pem (again, change path as required), made sure both files were owned by root and chmod'd to 400 to be read only by root. Then I restarted dovecot with /etc/init.d/dovecot start.


Next, on my Mac, I used Keychain Access to import certs-dovecot.pem. I right clicked on it and selected Get Info. I then opened the Trust menu in the window that popped up and selected the top Always Trust option. That got it working on my Mac.


I then attached certs-dovecot.pem to an email on another, working, Gmail account and mailed it to myself. I followed Celia's instructions above, with ONE change - I had to power cycle my iPhone after Step 4, then continued at 5, in order to get the all-important Continue option.


HTH, YMMV

Reply
User profile for user: MultiMats
MultiMats
User level: Level 1
4 points

Oct 2, 2019 9:04 AM in response to Celia Wessen

I´ve noticed the same problem with selfigned cerificate on Kerio Connect mail server. It appeared with iOS 13.

I´ve found out a work-arround by erasing the mail account on the phones and create new accounts without using SSL (the phone suggested that). Only shutting SSL of did not work. It is off course no good (safe) sollution so I´m looking faward to the next iOS (using 13.1.2 now...)

Reply
User profile for user: da dok
da dok
User level: Level 1
9 points

Oct 2, 2019 9:49 AM in response to MultiMats

Even with an updated certificate you'll need to delete the account off of your device, restart, then re-enter your account information. You'll be presented with the familiar " Continue Details Cancel" dialogue box. The "Details" button still does nothing, but hitting "Continue" will let you proceed with SSL active.


That advice was given in another one of these mail certificate threads. After a restart the old cert seems to be cleared out.

Reply

iOS 13 Self Signed SSL certificate updates in Mail

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up