8 Replies
      Latest reply: Mar 16, 2017 5:29 AM by eskimo RSS
      samserva Level 1 Level 1 (0 points)

        Hi,

         

        If the server uses self-signed certificates, Can we import the root certificate of self-signed certificate, as trusted into the iOS device ?

        and if we import root certificate as trusted into the device, Does connection work with ATS enabled ?

         

        Thanks,

        Sam

        • Re: Adding self-signed as trusted root certificate
          Beast Level 3 Level 3 (125 points)

          One can, but this solution is really only practical for enterprise apps where one can distribute the CA certificate via MDM.  Prompting users to add root certificates isn't a very good UX for most users.

            • Re: Adding self-signed as trusted root certificate
              samserva Level 1 Level 1 (0 points)

              Hi,

              Thanks for your time on this query. My query was specific to self-signed certificate and not related custom CA certificates. Can you please reconfirm, if we can import the root certificate of self-signed certificate, as trusted into the iOS device ?

                • Re: Adding self-signed as trusted root certificate
                  Beast Level 3 Level 3 (125 points)

                  Yes, self-signed certificates can be imported into the device as trusted certificates.

                    • Re: Adding self-signed as trusted root certificate
                      samserva Level 1 Level 1 (0 points)

                      Hi,

                      Thanks for your time again.

                      I was able to import the self-signed certificate as trusted certificates, but even then i was getting the security-risk pop-up asking user to cancel or proceed with the server connection and the lock was in white color instead of green color (in safari browser). I have following two queries

                      1. Can you please confirm whether importing self-signed certificates into device as trusted certificates, should result in secured connection with server (green lock visible to user) ?

                      2. if we import self-signed root certificate as trusted into the device, Does connection work with ATS enabled as well ?

                        • Re: Adding self-signed as trusted root certificate
                          Beast Level 3 Level 3 (125 points)

                          Yes, adding a self-signed certificate will always prompt the user about the certificate being untrused when attempting to add the certificate to the trusted store.

                           

                          A self-signed certificate is not verified or audited by any external entities, so no, it will never have a green lock.

                           

                          These two reasons are why most non-enterprise apps don't use self-signed certificates.

                           

                          ATS will work with a trusted self-signed certificate.

                          • Re: Adding self-signed as trusted root certificate
                            eskimo Apple Staff Apple Staff (6,075 points)

                            There are edge cases that can prevent self-signed certificates from working as server certificates.  What I typically do is create a root certificate (which is self-signed, obvious) and have that issue my server certificate.  You can then install the root certificate like you would any other root certificate, and that puts you on the well-trodden path.

                            You can create a certificate authority and issue certificates from it using your Mac; Technote 2326 Creating Certificates for TLS Testing has the details.

                            Share and Enjoy

                            Quinn “The Eskimo!”
                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                            let myEmail = "eskimo" + "1" + "@apple.com"