Level 1 (0 points)
-
Re: Adding self-signed as trusted root certificate
Level 3 (125 points)
One can, but this solution is really only practical for enterprise apps where one can distribute the CA certificate via MDM. Prompting users to add root certificates isn't a very good UX for most users.
-
Re: Adding self-signed as trusted root certificate
Level 1 (0 points)
Hi,
Thanks for your time on this query. My query was specific to self-signed certificate and not related custom CA certificates. Can you please reconfirm, if we can import the root certificate of self-signed certificate, as trusted into the iOS device ?
-
Re: Adding self-signed as trusted root certificate
Level 3 (125 points)
Yes, self-signed certificates can be imported into the device as trusted certificates.
-
Re: Adding self-signed as trusted root certificate
Level 1 (0 points)
Hi,
Thanks for your time again.
I was able to import the self-signed certificate as trusted certificates, but even then i was getting the security-risk pop-up asking user to cancel or proceed with the server connection and the lock was in white color instead of green color (in safari browser). I have following two queries
1. Can you please confirm whether importing self-signed certificates into device as trusted certificates, should result in secured connection with server (green lock visible to user) ?
2. if we import self-signed root certificate as trusted into the device, Does connection work with ATS enabled as well ?
-
Re: Adding self-signed as trusted root certificate
Level 3 (125 points)
Yes, adding a self-signed certificate will always prompt the user about the certificate being untrused when attempting to add the certificate to the trusted store.
A self-signed certificate is not verified or audited by any external entities, so no, it will never have a green lock.
These two reasons are why most non-enterprise apps don't use self-signed certificates.
ATS will work with a trusted self-signed certificate.
-
Re: Adding self-signed as trusted root certificate
Apple Staff (10,695 points)
There are edge cases that can prevent self-signed certificates from working as server certificates. What I typically do is create a root certificate (which is self-signed, obvious) and have that issue my server certificate. You can then install the root certificate like you would any other root certificate, and that puts you on the well-trodden path.
You can create a certificate authority and issue certificates from it using your Mac; Technote 2326 Creating Certificates for TLS Testing has the details.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"-
Re: Adding self-signed as trusted root certificate
Level 1 (0 points)
Looks like Quinn's URL has changed. Try https://developer.apple.com/library/content/technotes/tn2326/_index.html
-
Re: Adding self-signed as trusted root certificate
Apple Staff (10,695 points)
You’re right that the correct link has changed. Fortunately the good folks at DevPubs catch this and redirect you. The reason why my link was broken is because I fluffed up the post (there was an incorrect character in my source Markdown)-:. I’ve fixed that now.
Thanks for pointing this out.
As a bonus extra, you might want to check out my Q&A about installing test CA root certificates: QA1948 HTTPS and Test Servers.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
-
-
-
-