iOS 13 certificate chain and certificate requirements

Dear All,

The topic (short description):

I am running my own CA including root-ca and issuing-ca powered by OpenXPKI (https://www.openxpki.org/).

This CA provides certificates to multiple web servers and all my clients (Windows, Linux & Android),

have the root-ca and issuing-ca certificate installed in a working setup, except for my iPhone8.

Detailed description:

I now tried to install the same certificates to my iOS 13.3 powered iPhone 8 doing the following steps:

1. transfer root-ca and issuing-ca certificate to the device

2. select the root-ca certificate on "files" app -> "Profile Downloaded" popup appears

3. select the issuing-ca certificate on "files" app -> "Profile Downloaded" popup appears

4. navigate to settings -> general -> profiles & device management

5. Both certificate profiles are listed within "Downloaded profile"

6. select root-ca -> install -> enter pass code -> select install -> select Done; profile is now listed within "Configuration Profiles"

7. select issuing-ca -> install -> enter pass code -> select install -> select Done; profile is now listed within "Configuration Profiles"

8. navigate to settings -> general -> about -> certificate trust settings

9. select the root-ca certificate and enable it for full trust (issuing-ca certificate is not available there)

If I now try to browse one of my web pages using safari app, safari keeps loading / reloading all the time without any content (about first 10% of the blue load bar is shown, then reset - the "aA" sign on left and the reload arrow on the right of the search/address bar is flickers).

As soon as I:

1. navigate to settings -> general -> about -> certificate trust settings

2. select the root-ca certificate and disable it for full trust

The web page loads correctly again, but with error of untrusted page.

Different browser apps (tested with Chrome, Firefox and Brave) display always the "untrusted page" error, independently of of the "full trust" enabled or not.

Based on https://support.apple.com/en-us/HT210176 I have already validated the (from my point of view correct) settings of my certificates which are as follows:

root-ca certificate:

RSA key size: 4096 bit

Hash alogrithm: sha256WithRSAEncryption

no Subject Alternative Name

no Extended Key Usage for TLS Web Server Authentication

validy period: 3655 days

issuing-ca certificate:

RSA key size: 4096 bit

Hash alogrithm: sha256WithRSAEncryption

no Subject Alternative Name

no Extended Key Usage for TLS Web Server Authentication

validy period: 1828 days

web server certificate:

RSA key size: 2048 bit

Hash alogrithm: sha256WithRSAEncryption

SAN: server FQDN, server IP, server netbios name, server public FQDN

Extended Key Usage for TLS Web Server Authentication

validy period: 183 days

I furthermore check the webserver url using:

"TLS Inspector" app which shows me "Untrusted Chain"

"SSLDetective+" app which shows me "Certificate Chain Trusted"

I of course tried to reboot the iPhone, too (which I think is mostly a more windows error troubleshooting task :))

As a last information:

The device is company managed via MobileIron.

This means there are two other root-ca certificates which are "fully trust" enabled

and one additional profile within the "profiles & device management" listed in the topic of "Mobile Device Management". These configurations are not editable by myself.

My questions:

Does anyone know how I can see where iOS sees the certificate chain broken?

Did I do anything wrong the way how I installed the root-ca and issuing-ca?

Maybe some further ideas on troubleshooting?

Thank you for any input & help