User profile for user: Ozbum12345
Ozbum12345 Author
User level: Level 1
6 points

Self-signed certificate chain not trusted in iOS when only TLS Server Certificate to the web server

Hi All,


We have the following x509 certificate chain for a web server running in a private networks.

+- Root CA Certificate (Self-signed)

+- Application Signing Intermediate Certificate (Self-Signed)

+- TLS Intermediate CA Certificate (Self-Signed)

+- TLS Server Certificate (Self-Signed, Note: TLS server certificate follows these requirements: Requirements for trusted certificates in iOS 13 and macOS 10.15 – Apple Support (AU))


The certificates were deployed to the test iPhone SE and iPad (Root and TLS Intermediate CA certificates) devices, and web server (TLS Server certificates). In both devices, Safari shown connection are not private. When tested the same in Windows and Android (Samsung Galaxy Tab), the connections were all secured.


When TLS Intermediate CA and TLS server certificates are combined into one PEM file, the connection became secured in both the iPad and iPhone SE. Is this the proper way? Do we need to deploy a certificate chain from after the root to the TLS server certificate?


We didn't faced this issue during our initial development, the only difference is we didn't use a TLS Intermediate CA Certificate (our TLS server certificate is directly signed by the root CA).


Currently, we have no idea why when just the TLS server certificate is deployed to the web server the connection is not secured but when the a certificate chain (TLS Server + intermediate) is deployed the connection becomes secure.


Posted on May 10, 2022 3:53 PM

Reply
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
145,067 points

Posted on May 10, 2022 5:32 PM


The server provides the chain back to the root trusted by the client, not the client.


If you’re just getting going with SSL and related topics, Feisty Duck has some good learning materials available.

View in context

Similar questions

4 replies
User profile for user: Ozbum12345
Ozbum12345 Author
User level: Level 1
6 points

May 10, 2022 4:50 PM in response to MrHoffman

Hi MrHoffman,


Yes, we include the intermediate ca + TLS and the connection became secured.


Based from the link you provided:

Incomplete chain
Another common server misconfiguration occurs when the service provider only offers the leaf certificate instead of also including the intermediate certificate(s). Some clients will try to construct an alternate chain and not complain if they are successful, but in the end, the server needs to include the full chain minus the root certificates.

This is what confuses us, we already installed the intermediate together with the root in the client-side but it seems on some platform (iOS/iPadOS specially), the server-side must have the complete certificate chain except for the root


Thank you for your reply


Regards,

Christopher

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Self-signed certificate chain not trusted in iOS when only TLS Server Certificate to the web server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up