Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: WickedPorter
WickedPorter Author
User level: Level 1
10 points

Wi-Fi Connection to WPA2 Enterprise Keeps Asking to Verify Certificate

Hi All,


No amount of searching has helped me solve this problem ... hoping someone may be able to provide some insight.


I regularly connect to a WPA2 Enterprise network. This network is secured with a single "Root CA" self signed certificate. This certificate is installed in my System keychain, my login keychain, and is marked as "Always Trust" everywhere.


Even with the trust settings configured for this certificate, I always get two prompts when connecting to this network:

  1. Verify Certificate Window, with the text "Before authenticating to server "mycert", you should examine the server's certificate to ensure that it is appropriate for this network. I click "Continue"
  2. After clicking continue, I receive another prompt asking me for my login password: "You are making changes to your Certificate Trust Settings. Type your password to allow this."


After clicking Continue in the first prompt and then typing my password and clicking "Update Settings" in the second box, I am then connected and all works well.


I do not want to be prompted every time. I trust this certificate. I've installed the certificate, it exists in both my login keychain and my system keychain, in both it is marked as "Always Trust" for all possible cases.


Why am I constantly prompted?


Interesting twist: If I click "Continue" on the Verify Certificate Window, and then "Cancel" on the "You are making changes to your ... type your password to allow this" window, it still connects and works fine. Possible bug in how this is handled?

Posted on Sep 3, 2015 1:21 PM

Reply
Question marked as Best reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,679 points

Posted on Sep 4, 2015 4:41 AM

There are typically three certificates involved.


  1. The RootCA
  2. The Server certificate
  3. and often a client certificate


You might even have an 'intermediary' certificate which goes between the RootCA and any server certificates.


From your post you appear to have installed and trusted the RootCA. This should mean that any other certificates signed by that RootCA are automatically trusted. The server and any client certificates should be 'signed' by the RootCA. However it is possible that the server certificate has expired, has the wrong common name on it so it does not match the servers address, or has some other mistake.


If you open KeyChain Access I am sure from your description it will contain the RootCA and will be in 'green' showing you have trusted it. When yo get this message there should be an option to show more information about the problem certificate, you need to view that and ideally post a picture here or at least what it says. This hopefully will give some clues.


Note: You would normally not use a RootCA as a server certificate and in fact most RootCA certificates probably are not configured to enable doing so.


Note: It is normally only appropriate to put the RootCA in the System keychain and not the login keychain.

View in context
3 replies
Question marked as Best reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,679 points

Sep 4, 2015 4:41 AM in response to WickedPorter

There are typically three certificates involved.


  1. The RootCA
  2. The Server certificate
  3. and often a client certificate


You might even have an 'intermediary' certificate which goes between the RootCA and any server certificates.


From your post you appear to have installed and trusted the RootCA. This should mean that any other certificates signed by that RootCA are automatically trusted. The server and any client certificates should be 'signed' by the RootCA. However it is possible that the server certificate has expired, has the wrong common name on it so it does not match the servers address, or has some other mistake.


If you open KeyChain Access I am sure from your description it will contain the RootCA and will be in 'green' showing you have trusted it. When yo get this message there should be an option to show more information about the problem certificate, you need to view that and ideally post a picture here or at least what it says. This hopefully will give some clues.


Note: You would normally not use a RootCA as a server certificate and in fact most RootCA certificates probably are not configured to enable doing so.


Note: It is normally only appropriate to put the RootCA in the System keychain and not the login keychain.

Reply
User profile for user: suirauqa
suirauqa
User level: Level 1
72 points

Dec 19, 2016 7:52 AM in response to John Lockwood

That's good to know, but the same thing keeps happening to my iPhone 6S+ running iOS 10.2. The security certificate from the server appears to expire in 2019, so that shouldn't be an issue. I don't know how to access this certificate on my iPhone.


iPhone connecting to the same office network didn't have this issue in iterations of iOS9. Go figure.

Reply

Wi-Fi Connection to WPA2 Enterprise Keeps Asking to Verify Certificate

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up