iOS 18 Bug -Certificate Trust Settings for Private Root Certificates Not Available

Business & Education Device Management Beta Device Management

Created Sep ’24

Replies 50

Boosts 29

Views 17k

Participants 45

Importing an existing self- signed trusted root certificate no longer triggers option to trust cert in Settings / About / Certificate Trust Settings In iOS 18.

Cert installed manually from internal website, as email attachment, and using profile in Configurator all produce same result.

Same cert and processes work on iOS 16.7.10, iOS 17.6.1 and iPadOS 18.0

But not on iOS 18.0 nor beta iOS 18.1 beta5 on iPhone 16

Also tried regening a new test root on macOS Sonoma and installing using Configurator. No difference.

It’s broken - I’ve reported it by Feedback - it’s a vital security flaw.

Anyone else see this or have a workaround?

Answered by DTS Engineer in 811930022

A quick update…

First up, thanks for all the bug reports!

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures.

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

And just to head off the inevitable follow-up question… I don’t have any info to share as to when this will be fixed. All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Waitingforbugfix OP

When can it be fixed? Can apple engineer help to escalate the issue? Thanks.

DreamPiggy OP

FINALLY I fixed it without resetting my iPad/iPhone, by using the Edit Backup file and restore, from the third-party Mac App you know.

Backup your device running iOS 18
Use Mac App to extract the backup files
Remove the MobileDeviceDomain, KeychainDomain, ProtectedDomain, 3 folders
Restore the edite backup to your device

Done. https://twitter.com/DreamingPiggy/status/1857459220091908594

Dragon Man OP

@DTS Engineer - Hey Quinn,

I just upgraded from an iPhone 13 (which had my custom CA root installed and trusted) using Apple's upgrade path (backed everything up to iCloud, put the phones next to each other, and let them do their thing). The install did not include the root cert from the iPhone 13.

I am testing the waters before any of my users try this, and I am stuck. I am stymied by the lack of root cert trust settings in 18.1, which keeps OpenVPN from connecting to my private network. This completely breaks remote access, for me (and for any of my users that might upgrade to a new phone), as it hangs on verifying the OpenVPN server certificate.

Before I distribute (dangerously) altered OpenVPN profiles that do not try to verify the certificate, is there an ETA for a fix?? Thanks!

Dragon Man OP

11h

An update - I discovered that installing a certificate from HTTPS sites (vs. email, which I had been trying) works. OpenVPN accepts this certificate even though it is not trusted, which lets me work around the connecting from outside issue.

What this does not solve is every internal website or service using my custom CA's signed certificates shows up as untrusted. This is a pain, and I really hope it is fixed soon!

SteveGroom OP

Slightly different angle. Installed 18.1.1 on a six month old iPad. After rebooting get a message about an untrusted certificate which expired in 2016 - related to an email no longer used email server. There does not seem to be an option to list and delete certificates. Nothing under VPN and Device Management.