It appears that Apple has removed the ability to trust SSL certificates that are self-signed in iOS 10.
I created my own self-signed certificate and have a local web server that signed with my certificate. I must install my certificate in iOS for testing locally as I have developed an iOS application that needs to trust my certificate.
How can I install my self-signed certificate?
Good news, they haven't. If you just need this for development purposes, which it sounds like you do (and you shouldn't be using self-signed certificates in production anyway), you can install the self-signed certificate on your iOS devices manually. Following the equivalent FAQ for my iOS Web Bluetooth browser app:
Create your self-signed certificate and key files using openssl or however. Be sure it has the correct /CN “Common Name” for your local server, e.g. mycomputer.local.
Configure your webserver to use it (obviously) and check that it is working using a different client, such as a browser on a Mac.
Email your certificate to an email address you can access on your iOS device.
Tap on the attachment in Mail on your iOS device, this should now prompt you to install it. Do so.
You should now verify that it is installed by going to the Settings app then General -> Profile -> <Common Name>. The Profile menu probably won’t be there at all until you’ve installed the first certificate. The certificate should be marked Verified (it was verified by you when you installed it).
You might, like I did, have thought this would be enough. It isn’t. You now, really counter-intuitively, need to go to the setting General -> About -> Certificate Trust Settings and enable full trust for your certificate there as well. It’s such a weird place for that setting to be.
The installation of own root certificates changed at some point (maybe somebody can confirm, if it was at iOS 11).
What you need to do is with your Mac, get Apple Configurator 2 and create a profile containing your certificate. The resulting mobile profile file can be installed from Safari or email.
Related
I am trying to secure a iOS app by checking the installed SSL certificate exists or not. First I created a self-signed certificate with OpenSSL, and then install it to my iPhone. Right now I need to programmatically check this certificate is installed or not. If it exists, the app can run without limit, if not, use won't be able to use the app. So how to programmatically check this device is installed or not in my app code?
Why do we need to install SSL certificate on our iOS devices?
Users can install digital identities (certificates plus their
associated private keys) onto their iOS devices by downloading them
from within Safari, by opening them as email attachments, and by
installing them with configuration profiles. Or, identities can be
pushed from a Mobile Device Management (MDM) server. However,
identities installed in any of these ways are added to the Apple
keychain access group.
Refer below links for more info.
https://forums.developer.apple.com/thread/52345
https://developer.apple.com/library/archive/qa/qa1745/_index.html
I have iPhone device and need to test my application. However, current version of iOS does not allow to MITM the Apple Store. The rest of the user apps work fine if you follow Charles Proxy manual (install cert, add to the trusted list).
Did anyone encounter the issue before?
iOS does allow third party certs. You just have to explicitly trust them.
Open Settings -> General -> About -> Certificate Trust Settings and enable trust for the development certificate.
This is to ensure that nobody gets an MITM cert installed on accident.
We use this all the time with iOS 11.3 with mitmproxy
On our internal network, we use a self-signed CA certificate. This has worked fine for years, in both Safari and our iOS product, all the way through iOS 10. We simply install the CA certificate on any new device or simulator and everything works, even with ATS. This allows access to all of our internal test servers without having to trust each server individually.
Starting with iOS 11 the installed CA certificate no longer allows Safari or our app to trust the certificate for any of the servers. We receive the following relevant details with CFNETWORK_DIAGNOSTICS enabled for our app:
Error Domain=kCFErrorDomainCFNetwork Code=-1200
_kCFNetworkCFStreamSSLErrorOriginalValue=-9802
_kCFStreamErrorDomainKey=3
_kCFStreamErrorCodeKey=-9802
NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.
NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?
I spent considerable time trying to resolve this issue, scouring StackOverflow and the rest of the web. Although we use AFNetworking in our app, that seems to be irrelevant, as Safari no longer trusts these servers via the CA. Disabling ATS via NSAllowsArbitraryLoads allows access to the servers, but obviously isn't a solution.
No changes have been made to our -URLSession:didReceiveChallenge:completionHandler code, and we have a proper (worked for years) implementation of challenge response via challenge.protectionSpace.serverTrust.
I have re-evaluated and tested both the CA and server certificates every way I can think of, and they work everywhere except iOS 11. What might have changed in ATS for iOS 11 that could cause this issue?
While writing this question, I discovered the answer. Installing a CA from Safari no longer automatically trusts it. I had to manually trust it from the Certificate Trust Settings panel (also mentioned in this question).
I debated canceling the question, but I thought it might be helpful to have some of the relevant code and log details someone might be looking for. Also, I never encountered the issue until iOS 11. I even went back and reconfirmed that it automatically works up through iOS 10.
I've never needed to touch that settings panel before, because any installed certificates were automatically trusted. Maybe it will change by the time iOS 11 ships, but I doubt it. Hopefully this helps save someone the time I wasted.
If anyone knows why this behaves differently for some people on different versions of iOS, I'd love to know in comments.
Update 1: Checking out the first iOS 12 beta, it looks like things remain the same. This question/answer/comments are still relevant on iOS 12.
Update 2: Same solution seems to be needed on iOS 13 beta builds as well.
I've been struggling with this for 3 days now while attempting to connect to a local API running Laravel valet. I finally figured it out. In my case I had to drag and drop over the LaravelValetCASelfSigned.pem file from ~/.config/valet/CA/LaravelValetCASelfSigned.pem
After verifying the installing within the simulator I had to go to Settings > About > Certificate Trust Settings > and Enable the Laravel Valet VA Self Signed CN
Finally working!!!
Recommended solution is to install and trust a self-signed certificate (root). Assuming you created your own CA and the hierarchy of the certificated is correct you don't need to change the server trust evaluation. This is recommended because it doesn't require any changes in the code.
Generate CA and the certificates (you can use openssl: Generating CA and self-signed certificates.
Install root certificate (*.cer file) on the device - you can open it by Safari and it should redirect you to Settings
When the certificated is installed, go to Certificate Trust Settings (Settings > General > About > Certificate Trust Settings) as in MattP answer.
If it is not possible then you need to change server trust evaluation.
More info in this document: Technical Q&A QA1948 HTTPS and Test Servers
This has happened to me also, after undating to IOS11 on my iPhone. When I try to connect to the corporate network it bring up the corporate cert and says it isn't trusted. I press the 'trust' button and the connection fails and the cert does not appear in the trusted certs list.
Apple hand three categories of certificates: Trusted, Always Ask and Blocked. You'll encounter the issue if your certificate's type on the Blocked and Always Ask list. On Safari it show’s like:
And you can find the type of Always Ask certificates on Settings > General > About > Certificate Trust Setting
There is the List of available trusted root certificates in iOS 11
Blocking Trust for WoSign CA Free SSL Certificate G2
If you are not seeing the certificate under General->About->Certificate Trust Settings, then you probably do not have the ROOT CA installed. Very important -- needs to be a ROOT CA, not an intermediary CA.
I just answered a question here explaining how to obtain the ROOT CA and get things to show up: How to install self-signed certificates in iOS 11
I follow all recommendations and all requirements. I install my self signed root CA on my iPhone. I make it trusted. I put certificate signed with this root CA on my local development server and I still get certificated error on safari iOS. Working on all other platforms.
I'm using the NEVPNManager to create a personal VPN for my iOS app which is working. Now I'm trying to install a root CA certificate that can be used by all apps. I understand the user will need to trust this certificate under General -> About - Certificate Trust Settings. I'm trying to automate as much of this process as possible. The two ways I've found to attempt to do this are either:
1) Open Safari with a URL to the root certificate hosted on a website and iOS will prompt the user to install the certificate as a profile.
2) Install the certificate pragmatically within the app.
Option #1 works, but after the user installs the certificate they are not take back to the app and still have to manually go in and trust the certificate in the Certificate Trust Settings.
With option #2 if SecItemAdd is used it is only added to the keychain for the sandbox for my app and not available to other apps. The only option I have seen to make if available to other apps it to increase it's trust level as shown here, but this seems to require an old open source library from Apple that I was not able to get to build.
So, what is the best option to accomplish installing the root certificate and prompting the user to make it trusted? If it is possible through #2, any ideas how I build and then incorporate that library into my app? If I'm left with #1, what is the best way to simplify the process for the user?
SecTrustSettingsSetTrustSettings and related symbols are private API and your app will be rejected by Apple on submission. Even if you manage to compile this open source, it will still export the private symbols, and your app will be rejected.
Instead, you should use the openURL: API and point to a .p12 file, either locally hosted (by using an in-app web server) or remote. The .p12 file should include the certificate chain.
This will open the Settings app and ask the user to install the certificate. Once the user installs, all applications on the device will trust it.
I've got my Xcode server setup on a mac mini. Downloading the .ipa from https://pandora.local/xcode/ using Itunes works just fine.
I tried installing it directly from the phone from safari. It installs a certificate but when I click install it gives an error, saying that it can't connect to the server.
For the mention issue, I got solved by going into iphone settings -> general - > About - > Scroll to the bottom , Click on Certificate Trust Settings -> trun on for Xcode Server Root Certificate Authority. See screenshot.
had the exact same issue and it was a browser caching issue on Safari.
I went into Settings -> Safari -> Advanced -> Website Data, then left swiped on my Xcode server website to reveal the Delete button and clicked on it for just that website.
The next time I browsed to the Xcode server in Safari and attempted to install a build, I received the prompt to install the OTA certificate and when accepted done that I could install applications.
I tried the same, deleting the Website Data for my xcode server, but that did not actually work for me.
See my answer at Xcode bot install link request time out for an alternative solution.
you can get the answer offical description,
In iOS 10.3 and later, when you manually install a profile that contains a certificate payload, that certificate isn't automatically trusted for SSL.
You must manually turn on trust for SSL when you install a profile that is sent to you via email or downloaded from a website.
If you want to turn on SSL trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate.
Apple recommends deploying certificates via Apple Configurator or Mobile Device Management (MDM). Certificate payloads installed with Configurator, MDM, or as part of an MDM enrollment profile are automatically trusted for SSL.