ssl - How to install self-signed certificates in iOS 11

Question

I've been using self-signed certificates in the intranet of my small office and after upgrading to iOS 11, the certificates does not work for me. (Chrome and other browsers are happy with them.)

I've got my self-signed root ca file and converted it to .der file, and installed it onto my iPad via web.

But unlike this Answer, I can't see my root ca certificate on the Settings > General > About > Certificate Trust settings.

Is there any limitations for the certificates to be trusted in iOS? Both my iPhone and iPad has this problem. Is there anything wrong in my procedure?

I used these codes to make my ca certificate.

openssl genrsa -des3 -out rootCA.key 4096

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

openssl x509 -in rootCA.crt -out cert.der -outform DER

Answer 1

If you are not seeing the certificate under General->About->Certificate Trust Settings, then you probably do not have the ROOT CA installed. Very important -- needs to be a ROOT CA, not an intermediary CA.

This is very easy to determine by using openssl:

$ openssl s_client -showcerts -connect myserver.com:443 </dev/null

This will show you output for certificates in the cert chain, something like this:

    Certificate chain
     0 s:/C=US/ST=California/L=SAN FRANCISCO/O=mycompany.com, inc./OU=InfraSec/CN=myserver.com
       i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal CA 1A
    -----BEGIN CERTIFICATE-----
    ....encoded cert in PEM format....
    -----END CERTIFICATE-----

And it should show a chain of certs all the way to the ROOT CA. Keep following the output, paying attention to the "i:" value which indicates the ISSUER. Finally, you should get to the ROOT CA and can just copy-paste it to a .pem file (be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines!). Now you will be able to install it on your simulator by dragging-dropping onto simulator window.

If your ROOT CA is not listed, then find the top level in the output, then export it from Keychain Access.app. This assumes you are able to hit the website via Safari/Chrome, so you will have had to manually trust the website first.

My 'openssl s_client' output ended with the last cert shown with an issuer like this:

i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal Root CA 1

I am able to hit the target website successfully via Safari/Chrome, so that means Keychain has it stored and trusts it. So, I just launched Keychain Access.app via Spotlight and typed "mycompany" in the search bar. It showed my certificate (Kind=certificate) for "mycompany.com Internal Root CA 1". I just right clicked and selected "Export" and saved it to a .cer file.

Voila! Now I can drag-n-drop it onto my simulator and the ROOT CA will show up under General->About... and I can enable it.

If, for some reason you need to convert PEM file to DER/CER, just use this command:

$ openssl x509 -in myfile.pem -out myfile.der -outform DER

Hope this helps, I've had to do this dozens of times and figured it's about time I jot down some notes so I don't keep forgetting.