Certificate "Not Trusted" on iPhone

Agree kinda if you are a geek or developer. But I intentionally didn't want to go into a programming tutorial as the users here just want this to work as it did prior to 10. They don't want to create manual certs for their devices. They want Apple to fix the problem. As developer and former Apple software engineer, I agree with them. Whether you create a self–signed cert from either an Apple OS X server or a more modern Linux flavored OS, the certs should be automatically saved after trusting, to the device. This has worked and been part of the requirements for as long as iOS has been released. No user is going to take this action. BTW many small SOHO systems still are using Snow Leopard. These machines don't have the latest RSH-2 compliant cert capabilities and their Xserves don't run the latest OS. They rely on self-signing certs.

This is a very simple issue. Getting a new cert from a server without deleting an account from an iOS device is totally consistent with accepted practice on any platform. This was an oversight and can be solved for in the same way that we constantly renew stale encryption tokens on apps working on iOS and Android devices. User SHOULD NEVER have to do what you describe.

Discussed with AppleCare yesterday. They were of no help. Our engineering team have experienced this when they have had to restore iOS devices from backup due to DFU or replacements. The issue is that a developer may have during QA commented out the ability to retain certs in the directory to test refresh tokens and forgot to reenable it. Just a thought. However, today's intended behavior is to refresh tokens automatically across all devices as long as the device is authenticated to an account. This allows system refreshes periodically to reduce the chance of hijacking physical devices. Unfortunately, many server OSs unless recent versions have refresh schema to make sure certs are always updated without requiring manual intervention. That's why the "Trust" button is shown in the Error message, "Unable to Identify this server...." under the Details tab.

If your device is restored from backup the cert isn't being transferred to the device and there's no way to manually force a refresh of the cert from the error message as it's been removed. If you remove the account first and add it back end, the error message will appear. Click on Details and you'll then see the Trust in the upper right portion of the popup. Click on it and that will download a new cert to your device. I sent this to Apple engineering.

Yes you will need to install the Intermediary CA cert on the device, this applies whether it is self-signed or purchased. If however you are not using an intermediary CA then obviously you don't need to worry about it.

So if your using your own self-signed root CA plus an intermediary CA and of course you need the device cert itself then that would be three certificates you would have to install plus one private key for the device. The root and intermediary should not be in the .p12 but should be sent as separate files via the mobileconfig file.

You can use a self-signed code-signing cert, in fact as standard Profile Manager creates one of these for you. It will be automatically trusted once you have enrolled a device to your Profile Manager. Nothing also prevents you creating manually your own self-signed code-signing cert using your own self-signed rootCA although it is much harder to do. (Apple's own tools are inadequate for this, I used a free tool called XCA.)