iOS 10.3 and user installed SHA-1 certificates

According to the announcement https://support.apple.com/en-us/HT207459, user-installed SHA-1 certificates are not affected by the change in support of SHA-1 signed certificates.


But connection to our backend server on iOS 10.3 beta fails because of unknown CA. Installed certificates are ignored.

  • Server certificate, CA certificate and all intermediate certificates are installed on the iOS device.
  • All the certificates are SHA-1 signed.
  • Certificates are installed using configuration profile in Apple Configurator.
  • Connection fails using both NSURLSession and NSURLConnection.
  • In previous iOS version the communication with the server works fine.


Is it a bug in iOS 10.3 beta or is there some additional setting to allow SHA-1 certificates?

Accepted Reply

So just now I have found the reason why the CA is evaluated as not trusted.

There is a "Certificate Trust Settings" (Settings->General->About->Certificate Trust Settings). In previous iOS versions user-installed certificates were marked as trusted. In iOS10.3 Beta they are all by default not trusted.


Now I'm going to check how the certificate trust behaves for certificates installed by MDM policy.

Replies

I have the same problem here. Did you find a workaround?

Only workaround we have found so far is maual server certificate evaluation. But that would be really a big complication for us to override certificate evaluation in every application and every connection.

So just now I have found the reason why the CA is evaluated as not trusted.

There is a "Certificate Trust Settings" (Settings->General->About->Certificate Trust Settings). In previous iOS versions user-installed certificates were marked as trusted. In iOS10.3 Beta they are all by default not trusted.


Now I'm going to check how the certificate trust behaves for certificates installed by MDM policy.

Checked - certificates installed by MDM are on iOS 10.3 Beta by default trusted.

Hi Petr,
I'm using a SHA256 signed cert, but still after installation it's not trusted by default.

Any lead on whther this issue will be fixed on iOS 10.3 or is it acting like it should?

(Altought the release note refers only SHA1 certs)