-
Re: Adding self-signed as trusted root certificate
Beast Aug 26, 2016 10:06 AM (in response to samserva)One can, but this solution is really only practical for enterprise apps where one can distribute the CA certificate via MDM. Prompting users to add root certificates isn't a very good UX for most users.
-
Re: Adding self-signed as trusted root certificate
samserva Aug 29, 2016 4:50 AM (in response to Beast)Hi,
Thanks for your time on this query. My query was specific to self-signed certificate and not related custom CA certificates. Can you please reconfirm, if we can import the root certificate of self-signed certificate, as trusted into the iOS device ?
-
Re: Adding self-signed as trusted root certificate
Beast Aug 29, 2016 10:04 AM (in response to samserva)Yes, self-signed certificates can be imported into the device as trusted certificates.
-
Re: Adding self-signed as trusted root certificate
samserva Aug 31, 2016 3:27 AM (in response to Beast)Hi,
Thanks for your time again.
I was able to import the self-signed certificate as trusted certificates, but even then i was getting the security-risk pop-up asking user to cancel or proceed with the server connection and the lock was in white color instead of green color (in safari browser). I have following two queries
1. Can you please confirm whether importing self-signed certificates into device as trusted certificates, should result in secured connection with server (green lock visible to user) ?
2. if we import self-signed root certificate as trusted into the device, Does connection work with ATS enabled as well ?
-
Re: Adding self-signed as trusted root certificate
Beast Aug 31, 2016 10:01 AM (in response to samserva)Yes, adding a self-signed certificate will always prompt the user about the certificate being untrused when attempting to add the certificate to the trusted store.
A self-signed certificate is not verified or audited by any external entities, so no, it will never have a green lock.
These two reasons are why most non-enterprise apps don't use self-signed certificates.
ATS will work with a trusted self-signed certificate.
-
Re: Adding self-signed as trusted root certificate
eskimo Mar 16, 2017 5:26 AM (in response to samserva)There are edge cases that can prevent self-signed certificates from working as server certificates. What I typically do is create a root certificate (which is self-signed, obvious) and have that issue my server certificate. You can then install the root certificate like you would any other root certificate, and that puts you on the well-trodden path.
You can create a certificate authority and issue certificates from it using your Mac; Technote 2326 Creating Certificates for TLS Testing has the details.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: Adding self-signed as trusted root certificate
jdasher Mar 15, 2017 4:01 PM (in response to eskimo)Looks like Quinn's URL has changed. Try https://developer.apple.com/library/content/technotes/tn2326/_index.html
-
Re: Adding self-signed as trusted root certificate
eskimo Mar 16, 2017 5:29 AM (in response to jdasher)You’re right that the correct link has changed. Fortunately the good folks at DevPubs catch this and redirect you. The reason why my link was broken is because I fluffed up the post (there was an incorrect character in my source Markdown)-:. I’ve fixed that now.
Thanks for pointing this out.
As a bonus extra, you might want to check out my Q&A about installing test CA root certificates: QA1948 HTTPS and Test Servers.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
-
-
-
-