Apple Intelligence is now available on iPhone, iPad, and Mac!

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Trusting Self-Signed Certificates in iOS 10

It appears that Apple has removed (or hidden) the ability to trust SSL certificates that are self-signed.


We host our own mail server with a self-signed certificate and previously we could manually trust the certificate on iOS devices. Now, users get prompted that the certificate is not trusted, we can only see details or cancel, there's no longer an option to trust it. As a result, they have difficulty sending or receiving mail from the iOS 10 devices.


Anyone know a workaround for this?

Posted on Nov 7, 2016 8:48 AM

Reply
Question marked as Top-ranking reply

Posted on Mar 31, 2017 11:16 AM

What fixed this issue from my iPhone for me was going to Settings -> General -> About -> Certificate Trust Settings, and there is a section called "ENABLE FULL TRUST FOR ROOT CERTIFICATES". Under it lists the certificate that I installed on my iPhone. Once I enabled that, I'm good to go.

52 replies
Question marked as Top-ranking reply

Mar 31, 2017 11:16 AM in response to altjxx

What fixed this issue from my iPhone for me was going to Settings -> General -> About -> Certificate Trust Settings, and there is a section called "ENABLE FULL TRUST FOR ROOT CERTIFICATES". Under it lists the certificate that I installed on my iPhone. Once I enabled that, I'm good to go.

Apr 22, 2017 9:22 AM in response to iPhonekw

sorry.. I meant the file ext.

Yes, I email the **.cer file to my email. Then open the mail app to access my email, click on the **.cer to install it.


Are you using iOS mail app or third party app ? Look at my screenshots .. I have shared

This is attachment of cer file in my email.

Fig 1


User uploaded file


Upon Clicking the root.cer file, it switches to below screen, where i get an option to install (top-right)

Fig 2

User uploaded file

Make sure you are using the iOS Mail App and if these option are not present, then I suggest trying install the cer file on your window/mac see if it work there. Maybe something wrong with cer file ?

Apr 25, 2017 2:40 PM in response to ct335i

User uploaded fileThanks for this. Have quite a few iPhones on my domain now and finding the trust option was a little obtuse. Why didn't they just put it in the profile area?


just another tidbit to those admins that have their own internal microsoft pki.


IF you go to your pki server\certsrv you can install the certificate directly without having to move files around. Domain users should be able to do this as well. In my case I go to https://mdstvvutil01/certsrv enter my domain credentials and get the following dialogue..

May 5, 2017 12:38 AM in response to playapuss

playapuss wrote:


An additional step is now required in iOS 10.3: You must go to General->About->Certificate Trust Settings and turn on the root CA you just installed.


Dear Apple:

Dear user: Apple won't see your request here. This is a user-to-user technical support forum, not a way to communicate with Apple engineering. Apple does not read or respond here. To get a message to Apple use https://apple.com/feedback, or if you have a developer account use the bug reporting link in the developer area.

May 15, 2017 12:03 PM in response to Kevlar

There was a problem that was fixed in 10.3.2 (released today, May 15). See: About the security content of iOS 10.3.2 - Apple Support


Impact: Update to the certificate trust policy

Description: A certificate validation issue existed in the handling of untrusted certificates. This issue was addressed through improved user handling of trust acceptance.

Jan 1, 2017 12:27 PM in response to Kevlar

I just ran into this today when I had to rotate my certificates. Here's a distilled version of what I ended up having to do to solve it:


  1. Copy the self-signing CA cert to a web server. I just used a machine internal to the network that already had httpd set up but wasn't exposed to the internet (shouldn't matter with a cacert, but just in case).
  2. Browse from the device to the exact url for the cert. e.g. http://myserver/cacert.pem
  3. Install the profile as prompted. The will grant trust to all certificates signed by your CA. The certificate will show up in Settings->General->Profile.


The key here is that you need to use the CA certificate and not the server certificate, so that the iPhone will trust the entire certificate chain. If it only trusts the server certificate, you will still get "Not Verified" because it doesn't trust the issuing authority (your CA) for the certificate.

May 13, 2017 12:31 PM in response to dfeifer

One word on Microsoft-generated certificates: they can be problematic. I spent hours trying to get certificates created with the older MSFT tool, MakeCert.exe, to install. Nothing I tried worked... until I setup a CA installation with OpenSSL. Once properly configured, iOS 10.3.1 was more than happy to trust this certificate. Key differences:

  • Hashing (older MakeCert CA used SHA1, new uses sha512)
  • Issuer data (old was just text, new matched the Subject settings)
  • Subject (new included email address)
  • Subject Key Identifier (not present in old)
  • Key Usage (not present in old, new includes: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86) )


I had also tried resigning the same key with a newer MakeCert.exe, but could not include all of the above settings. Posting in the hope of saving others a bunch of time...


- dennis

Mar 2, 2017 11:27 PM in response to Kevlar

Hi Kevlar -


Good post. We have had an Xserve running mail for 9 years and it can't be upgrade of course. So threw it out literally after iOS 10 hit the streets. Wanted to comment on SSL. It's used for the entire transmission, not just connections. If so, users wouldn't have any idea of what was being trusted during communication. All or nothing. In terms of certs, SH1 is problematic as it's deprecated so if you running 10.6.8 you'll be issuing only SH1 certs which iOS clients won't like. It's also been problems for our developers running Mac OS 10.11 and 10.12. In fact, Apple developers were told that any code submitted for products need to be be SHA2 compliant.

Mar 30, 2017 3:26 PM in response to ShagCA

Could you explain in further detail as to the methodology? I am apparently having the same issue mentioned in the comment to which you replied, pertaining to Trust Certificates and the inability to use Mail, iCloud, and mainly any Apple function dedicated for iOS 10.2.1, which is the version I am currently running on my iPad Air 2. I typically prefer to use Gmail, however I have other email accounts I could use if necessary.


Just for further clarification, ever since upgrading along the way from iOS 9 to iOS 10.2.1, I have experienced so many glitche, such as my iCloud and iTunes account password is requested incessantly, even once input correctly, I receive error messages about not being able to access iCloud or iCloud Drive. This has not only become annoying, it has affected my Notes, iCloud, Mail, Safari and perhaps some other pertinent daily functions. Regarding Safari, my open Tabs consistently close without reason, along with all of my History, Reading List, Favorites and Bookmarks.


For instance, if I want to send an email from the Share button from Safari, I hit the Mail button, which asks me to set up email accounts, as if I have never set those up before. Just for my own humility, I will re-enter my email accounts again and again, some which come back with a message indicating that they are already registered with the System. Otherwise, I have tried using other email accounts, which have not been registered on my iPad. At which point, I go through the hassle of setting up the email account, Save the account, I receive a message that the account has been saved, however, when I go to Share, hit the Email button, it redirects me to the same screen to set up my Email accounts.


It sounds from your Discussion thread that you are referring to this type of matter, unless I am mistaken. If so, can you please offer up some more detailed advice, as I have spent hours on the phone with Apple Support, to no avail. And, the bottom line is, as much as I know about computers and networking, I wouldn't have any idea how to access, say, Google's Gmail Trusted Root Certificate and be able to email it to myself as an attachment.


As an aside, I do operate on a Windows 10 PC as well, in case this would need to be resolved using another computer source, other than my iPad Air. Anything you could do to assist would be greatly appreciated.


Regards,


Mark Halsey

Mar 30, 2017 3:41 PM in response to ShagCA

Hey Shag,


I am not sure if I had replied to you regarding this post, or to the General Discussion regarding your methods in resolving the issue pertaining to Trusted Certificates.


If not, would you mind taking a look at my Post, which was actually directed at you, since your solution seemed to be the most likely workaround.


As an aside, I am using an iPad Air 2 running, iOS 10.2.1, and the Trust Certicate, which seems to be a huge problem in these Forums, is regarding Trust Certificate Version 2016102100. I tried looking it up using Apple's List of Trusted Certificates, however, I couldn't seem to locate it and really don't know what to look for.


Thanks,


Mark Halsey

Mar 31, 2017 2:23 PM in response to Kevlar

I just wanted to follow up that we did recently solve this issue. We continue to use 10.6.8 server (although we are looking to upgrade soon) and have been able to get the certificate to be trusted.


The trick seems to be that the only time iOS can trust the certificate is during the account creation process. So we can delete the account on our iPhone (including the SMTP server), then re-enter the information. In the account verifying stage, you will get a prompt that the certificate is not trusted, but if you click "Details" you'll see "Trust" in the upper-right corner. Then the certificate will be trusted and we are able to send/receive mail through our servers on iOS devices without issue.


Hope this helps someone.

Apr 21, 2017 5:34 AM in response to ct335i

So I have been sending the certs via my yahoo email, since I can get that on my phone. When I open the email, it is attached. When I tap on the attachment, it acts like it is loading or something, see screenshot 1 above. But it never truly allows me to "install". When I go back to settings, about, security trust....this is all that is shown. So either the cert IS installed in the background but isn't recognized or it's not installed at all. This is extremely frustrating. Android makes this very simple, not sure why Apple makes it difficult.

Apr 21, 2017 9:16 AM in response to iPhonekw

what format is your CA in ? I have tested with .cer and emailing to my hotmail/gmail. When I click on .cer file within the email, it directs me to install the profile and I click install. Once installed you should see the cert under setting - General - Profiles.

Then you can enable that cert - Setting -General -About - Certificate Trust settings. You should see "Enable Full Trust .."

Trusting Self-Signed Certificates in iOS 10

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.