I've never had success with local CAs and self-signed certs on iPhone, despite going through the whole rigamarole of creating and installing an MDM profile with the trust root. Even after doing that, apps and Safari behave as if the certificate was untrusted. Is there some documentation you've successfully used and wouldn't mind pointing to?
Hey there, author here! This took a little research: most of the instructions on the internet are for network admins adding local CAs to browsers rather than for users to control who they trust.
We ended up with instructions for configuring the major root stores: OS X, Windows, Firefox and Android. We weren't able to identify a way to choose which iOS 9 inbuilt certificates you trust - Apple Configurator 2 only allows you to add certs.
If HN knows knows how to do this on iOS, let us know!
For some reason, iOS Safari won't do like all the other browsers, show a warning and then let you access. No, it outright rejects self-signed certs. You have to go through the trouble of installing the root CA into the phone, which is not practical.
If you are talking about installing the Root CA in the iPhone, yeah. That's how I do it in my development devices.
But for a user, iOS Safari (not Safari for MacOS) doesn't show any certificate warning that the user can accept, like other browsers. In fact, it just fails absolutely silently. You'd have to connect it to a Mac and open up the developer tools on the desktop's Safari, to see the errors that are being printed on the JS console.
Otherwise, you'd just be left wondering why it just doesn't work like all the other browsers.
Yeah, I don't know what OP is talking about, I'm using one on my iPhone right now. Enterprises deploy them all the time.
It is true, that in recent versions of iOS (in the past five years or so), you have to install the certificate in Safari, then go to Settings->General->About, scroll all the way down, and manually trust the certificate (to ensure you really know what you're doing by enabling it). And iOS doesn't make this known anywhere outside of that special menu three levels deep, I suppose to not confuse people who had an attacker install a cert on their phone somehow.
Yes. Just email the self-signed certificate to yourself, then open it up on the iOS device. You can also create a personal CA and install it the same way, if you plan on connecting to more than one host.
I understand the need for installing a certificate to capture SSL, but it would be nice if you could just roll your own root CA cert. The documentation is not clear wether this is possible...
You need to manually trust on each device. There is a button for that in the app, that shows the Trust certificate dialog. For other devices it quit easy, e.g. you can AirDrop RootCA.pem into the iPhone or iPad.
You can most definitely bypass the invalid certificate warning on iOS (I also have a device that uses a self-signed certificate and listens on a local IP, I can open its web interface just fine on iOS)
SCEP via .mobileconfig on iPhone, it's a breeze; I use client side certificates in a lot of places and the UX is transparent so long as the device doesn't contain multiple certificates.
iOS is tricky because of its weird rules regarding TLS libraries and web views. If you are sure you haven't any rogue CA certs in your applicable trust stores, it's probably a false positive.
Well, if you have a developer cert, you can use iModSign app to change the certificate on a binary and install it on your iOS device. I've done this before with a beta version of WhatsApp.
I've never had success with local CAs and self-signed certs on iPhone, despite going through the whole rigamarole of creating and installing an MDM profile with the trust root. Even after doing that, apps and Safari behave as if the certificate was untrusted. Is there some documentation you've successfully used and wouldn't mind pointing to?
reply