Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

AlecEdworthy

macrumors 6502
Original poster
May 1, 2007
432
135
Leicestershire, UK
Hello,

I have my own SHA256 certificate which I use for signing the certificates which are used on my own servers (HTTPS and SMTPS). Under iOS 10 and earlier I installed the certificate by downloading it and it installing it like you would do a normal mobile configuration profile and it appeared under Settings, General, Profiles. Under the iOS 11 GM the certificate downloads and installs in the same manner as before but with the additional security of iOS 11 (and newly installed certificates under iOS 10.3.3 IIRC) you need to switch on the trust of newly installed root CAs in Settings, General, About, Certificate Trust Settings. However, my own root CA is not appearing in the list there. Others which were installed as part of managed wifi profiles are in that list but not my own one. My best guess is that because my certificate is "untrusted" it doesn't appear but as the certificates for the managed wifi profiles were introduced as part of a properly signed mobileconfig profile they do appear. Seems a little chicken and egg to me. Has anyone else tried installing their own root CAs? If so did you get it working?

Yes, I know I *could* get a certificate signed by Let's Encrypt or similar but I'd like to get my own CA working again.

Thanks, Alec
 
I run my own CA for internal purposes as well. After installing the CA's public certificate I enable it in About as you detail. If yours is not showing up perhaps perhaps it's missing a specific attribute that Apple is looking for? I know this is frustrating and challenging because the amount of information Apple provides about this type of stuff is next to nothing.

For what it's worth, I have been using the EasyRSA tool (from the OpenVPN guys) for my certificate management and have not really had any issues. I do not install the certificate directly however; I installed it within its own mobile configuration profile (pretty much just the root CA in that particular profile).

I know this isn't much help, but I at least wanted to let you know that private CAs do still work in iOS 11 (in truth, they'd have to because corporations use this kind of thing as a routine part of their security management).
 
I know this isn't much help, but I at least wanted to let you know that private CAs do still work in iOS 11 (in truth, they'd have to because corporations use this kind of thing as a routine part of their security management).
Found the issue, my CA is missing a CN field. Not essential for signing other certificates (I've been using the CA for two and a half years) but clearly enough to stop iOS from recognising the certificate as a valid CA. Time to make myself a new CA and then re-sign my child certificates with it :mad:

Thanks Dave-Z :)

[Edit reason: Mangled two replies into one]
 
Last edited:
I had a lot of trouble with a self signed certificate as well. I wound up apple configurator to force install it, but it was a pure PITA
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.