Apple Intelligence now features Image Playground, Genmoji, Writing Tools enhancements, seamless support for ChatGPT, and visual intelligence.

Apple Intelligence has also begun language expansion with localized English support for Australia, Canada, Ireland, New Zealand, South Africa, and the U.K. Learn more >

You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Certificate "Not Trusted" on iPhone

Hi,


I have a Mac mini running El Capitan server. I configured RADIUS so I can use WPA2-Enterprise. I bought a SSL Certificate from Network Solutions AND created an A-Record pointing to my server at home (server.example.com > 24.X.XX.XXX).


When I connect to the SSID (WPA2-Enterprise configured), I entered my credentials, the certificate displays "Not Trusted" in red. I then click Trust and I'm connected.


Is "Not Trusted" displaying in the certificate is normal? If not, how can I get the certificate display "Trusted" in green?

User uploaded file

Posted on Mar 8, 2016 6:48 AM

Reply
Question marked as Top-ranking reply

Posted on Feb 15, 2017 5:19 AM

Yes you will need to install the Intermediary CA cert on the device, this applies whether it is self-signed or purchased. If however you are not using an intermediary CA then obviously you don't need to worry about it.


So if your using your own self-signed root CA plus an intermediary CA and of course you need the device cert itself then that would be three certificates you would have to install plus one private key for the device. The root and intermediary should not be in the .p12 but should be sent as separate files via the mobileconfig file.


You can use a self-signed code-signing cert, in fact as standard Profile Manager creates one of these for you. It will be automatically trusted once you have enrolled a device to your Profile Manager. Nothing also prevents you creating manually your own self-signed code-signing cert using your own self-signed rootCA although it is much harder to do. (Apple's own tools are inadequate for this, I used a free tool called XCA.)

5 replies
Question marked as Top-ranking reply

Feb 15, 2017 5:19 AM in response to vane0326

Yes you will need to install the Intermediary CA cert on the device, this applies whether it is self-signed or purchased. If however you are not using an intermediary CA then obviously you don't need to worry about it.


So if your using your own self-signed root CA plus an intermediary CA and of course you need the device cert itself then that would be three certificates you would have to install plus one private key for the device. The root and intermediary should not be in the .p12 but should be sent as separate files via the mobileconfig file.


You can use a self-signed code-signing cert, in fact as standard Profile Manager creates one of these for you. It will be automatically trusted once you have enrolled a device to your Profile Manager. Nothing also prevents you creating manually your own self-signed code-signing cert using your own self-signed rootCA although it is much harder to do. (Apple's own tools are inadequate for this, I used a free tool called XCA.)

Mar 9, 2016 3:00 PM in response to vane0326

I've been doing some reading and found that I need to import the Root & Intermediate Certificates onto my iPhone, so I can get "Trusted" in green. Here are the steps what I've done so far...


1.) Went to the profile manager on the OS X server created a profile and imported 2 SSL certificates from my Third- Party vendor (Network Solutions).

2.) Configured network settings for it to use WPA2-Enterprise.

3.) Downloaded the mobileconfig file and emailed it to myself.

5.) Installed the mobileconfig file on to my iPhone. (Even though, on the file, it says "Not Signed" in red)

6.) On my iPhone I went to my SSID (WPA2-Enterprise), entered my Username & Password, BUT when I went to click on "Join" it's Greyed Out.


The mobileconfig file is configured EAP-TLS.


Anyone knows what I'm doing wrong?

Feb 15, 2017 11:20 PM in response to John Lockwood

Agree kinda if you are a geek or developer. But I intentionally didn't want to go into a programming tutorial as the users here just want this to work as it did prior to 10. They don't want to create manual certs for their devices. They want Apple to fix the problem. As developer and former Apple software engineer, I agree with them. Whether you create a self–signed cert from either an Apple OS X server or a more modern Linux flavored OS, the certs should be automatically saved after trusting, to the device. This has worked and been part of the requirements for as long as iOS has been released. No user is going to take this action. BTW many small SOHO systems still are using Snow Leopard. These machines don't have the latest RSH-2 compliant cert capabilities and their Xserves don't run the latest OS. They rely on self-signing certs.


This is a very simple issue. Getting a new cert from a server without deleting an account from an iOS device is totally consistent with accepted practice on any platform. This was an oversight and can be solved for in the same way that we constantly renew stale encryption tokens on apps working on iOS and Android devices. User SHOULD NEVER have to do what you describe.

Feb 14, 2017 3:21 PM in response to vane0326

Discussed with AppleCare yesterday. They were of no help. Our engineering team have experienced this when they have had to restore iOS devices from backup due to DFU or replacements. The issue is that a developer may have during QA commented out the ability to retain certs in the directory to test refresh tokens and forgot to reenable it. Just a thought. However, today's intended behavior is to refresh tokens automatically across all devices as long as the device is authenticated to an account. This allows system refreshes periodically to reduce the chance of hijacking physical devices. Unfortunately, many server OSs unless recent versions have refresh schema to make sure certs are always updated without requiring manual intervention. That's why the "Trust" button is shown in the Error message, "Unable to Identify this server...." under the Details tab.


If your device is restored from backup the cert isn't being transferred to the device and there's no way to manually force a refresh of the cert from the error message as it's been removed. If you remove the account first and add it back end, the error message will appear. Click on Details and you'll then see the Trust in the upper right portion of the popup. Click on it and that will download a new cert to your device. I sent this to Apple engineering.

Mar 13, 2016 2:10 PM in response to vane0326

After spending some time on this, using a Self-Signed Certificate AND a 3rd party Vendor Certificate...the "Not Trusted" is normal when connecting to a SSID that is configured for WPA2-Enterprise.


The only way around this if you do not want to see "Not Trusted" you would have to create a mobileconfig file from the OS X server profile manager and add the intermediate certificate. And then you will need to install it on every device that you don't want the user to see the "Not Trusted" certificate display.


The "Not Signed" in red...you will have to get a Code Signing Certificate from a 3rd party vendor, like digicert.com if you don't want to see it. You don't to have to get it, but it will show the users it's coming from a trusted source.

Certificate "Not Trusted" on iPhone

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.