Adding self-signed as trusted root certificate

Hi,


If the server uses self-signed certificates, Can we import the root certificate of self-signed certificate, as trusted into the iOS device ?

and if we import root certificate as trusted into the device, Does connection work with ATS enabled ?


Thanks,

Sam

Replies

One can, but this solution is really only practical for enterprise apps where one can distribute the CA certificate via MDM. Prompting users to add root certificates isn't a very good UX for most users.

Hi,

Thanks for your time on this query. My query was specific to self-signed certificate and not related custom CA certificates. Can you please reconfirm, if we can import the root certificate of self-signed certificate, as trusted into the iOS device ?

Yes, self-signed certificates can be imported into the device as trusted certificates.

Hi,

Thanks for your time again.

I was able to import the self-signed certificate as trusted certificates, but even then i was getting the security-risk pop-up asking user to cancel or proceed with the server connection and the lock was in white color instead of green color (in safari browser). I have following two queries

1. Can you please confirm whether importing self-signed certificates into device as trusted certificates, should result in secured connection with server (green lock visible to user) ?

2. if we import self-signed root certificate as trusted into the device, Does connection work with ATS enabled as well ?

Yes, adding a self-signed certificate will always prompt the user about the certificate being untrused when attempting to add the certificate to the trusted store.


A self-signed certificate is not verified or audited by any external entities, so no, it will never have a green lock.


These two reasons are why most non-enterprise apps don't use self-signed certificates.


ATS will work with a trusted self-signed certificate.

There are edge cases that can prevent self-signed certificates from working as server certificates. What I typically do is create a root certificate (which is self-signed, obvious) and have that issue my server certificate. You can then install the root certificate like you would any other root certificate, and that puts you on the well-trodden path.

You can create a certificate authority and issue certificates from it using your Mac; Technote 2326 Creating Certificates for TLS Testing has the details.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Looks like Quinn's URL has changed. Try https://developer.apple.com/library/content/technotes/tn2326/_index.html

You’re right that the correct link has changed. Fortunately the good folks at DevPubs catch this and redirect you. The reason why my link was broken is because I fluffed up the post (there was an incorrect character in my source Markdown)-:. I’ve fixed that now.

Thanks for pointing this out.

As a bonus extra, you might want to check out my Q&A about installing test CA root certificates: QA1948 HTTPS and Test Servers.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Hey Quinn, is that Q&A still applicable?

My app makes HTTPS requests to localhost server with custom certificate authority (for local development only). So I've manually installed a root certificate authority on the iOS simulator, and I can visit the server in Safari, no problem.

But my app gives me this error:

The certificate for this server is invalid. You might be connecting to a
server that is pretending to be “localhost” which could put your
confidential information at risk.

Any suggestions are much appreciated!

is that Q\&A still applicable?

In general, yes.

My app makes HTTPS requests to localhost

Of course localhost is handled as a special case in many different parts of the OS. It’s possible that something specific to localhost is tripping you up.

If you have your CA issue a certificate for your Mac’s local name (as displayed in Sharing preferences), does that work?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"