13 Replies
      Latest reply on Aug 16, 2019 1:01 AM by eskimo
      swbrenneis Level 1 Level 1 (0 points)

        I have created a private CA for testing an iOS application. I have installed the root certificate on the simulator and on my iPhone 6s. In both places, the profile says that the certificate is installed and verified. However, it does not show up in the Certificate Trust Settings. I have tried to install the certificate in both PEM and DER formats. Neither works.

         

        Any help would be appreciated.

        • Re: Private CA root certificate missing from trust settings
          KMT Level 9 Level 9 (15,225 points)

          What process did you employ to install, in both examples?

          • Re: Private CA root certificate missing from trust settings
            eskimo Apple Staff Apple Staff (12,435 points)

            I’ve recently been working on an update to QA1948 and so testing this stuff a lot.  Except for a problem with watchOS 4 (r. 34652068) everything else seems to be is working fine.

            Can you post a link to (or a hex dump of) the CA certificate you’re trying to install?

            Share and Enjoy

            Quinn “The Eskimo!”
            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
            let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Private CA root certificate missing from trust settings
              swbrenneis Level 1 Level 1 (0 points)

              I have been trying to post a link to the certificate, but the replies say, "Currently being moderated." The first one said that for almost 24 hours. Does it normally take that long to moderate a reply? I guess it's because the reply includes a link. Hopefully this one will get through.

               

              The PEM for the cert is at pippip dot io slash rootcert slash ca.cert.pem.

                • Re: Private CA root certificate missing from trust settings
                  KMT Level 9 Level 9 (15,225 points)

                  Can take a few days, or never...depends on mods. Note not all outbound urls are banned, tho. For those that are, try breaking it, like this:

                   

                  h ttp://cnn.com

                  • Re: Private CA root certificate missing from trust settings
                    eskimo Apple Staff Apple Staff (12,435 points)

                    Does it normally take that long to moderate a reply?

                    It can take a while.  However, if it’s a thread I’m actively looking at then I’ll approve the post the next time I swing by the thread, so it doesn’t actually cause any real delay.

                    Or, as KMT suggested, you can disguise the URL.

                    The PEM for the cert is at pippip dot io slash rootcert slash ca.cert.pem.

                    Well, that was interesting.  I looked at the certificate and couldn’t see any obvious issues with it.  I then installed it on my device and replicated the problem you’re seeing.  My own test certificate is visible in Certificate Trust Settings but yours is MIA.  Weird.

                    I eventually tracked this down to the certificate common name.  It seems that Certificate Trust Settings uses the certificate’s common name as the cell title, and if the certificate doesn’t have a common name then it just gets dropped )-:  This is most definitely a bug and you should file it as such.  Please post your bug number so that I can add my analysis to it.

                    If you have control over the root certificate in question you could get around this by re-issuing it with a common name.  Creating your certificate with Certificate Authority (see TN2326) makes this easy.

                    If not, I suspect the only option is to install the certificate via MDM, where you’re not required to manually approve it.

                    Share and Enjoy

                    Quinn “The Eskimo!”
                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                    let myEmail = "eskimo" + "1" + "@apple.com"

                      • Re: Private CA root certificate missing from trust settings
                        eskimo Apple Staff Apple Staff (12,435 points)

                        This is most definitely a bug and you should file it as such.

                        Just FYI, I ended up filing my own bug about this (r. 35071483).

                        Share and Enjoy

                        Quinn “The Eskimo!”
                        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                        let myEmail = "eskimo" + "1" + "@apple.com"

                          • Re: Private CA root certificate missing from trust settings
                            swbrenneis Level 1 Level 1 (0 points)

                            Thank you, sir.

                             

                            Sorry for the late response. I was wrestling with a certificate issue on the Amazon API gateway. I'll not post a long rant with my opinion of the PKI.

                             

                            I checked the original root cert and it is, indeed, missing the CN. Way back at the dawn of time, we didn't put CNs on the root cert because they would never be used for any kind of physical verification, i.e. DNS lookup. When the root cert is reissued, I will make sure that it has a CN.

                             

                            Again, thank you for your help.

                              • Re: Private CA root certificate missing from trust settings
                                eskimo Apple Staff Apple Staff (12,435 points)

                                we didn't put CNs on the root cert because they would never be used for any kind of physical verification

                                Right.  I’ve seen other root certificates within a Common Name entry, so I think that’s allowed.  IMO this is a bug in the Certificate Trust Settings, which is why I filed a bug against it.

                                When the root cert is reissued, I will make sure that it has a CN.

                                Cool.  Glad you have a decent workaround option.

                                Share and Enjoy

                                Quinn “The Eskimo!”
                                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                let myEmail = "eskimo" + "1" + "@apple.com"

                                  • Re: Private CA root certificate missing from trust settings
                                    BCTZ Level 1 Level 1 (0 points)

                                    Hi,

                                     

                                    I am experiencing the same problem with my iPhone 7 plus running software version 12.4.

                                    I installed a self signed cert but I cannot manually approve it because it is not showing up under Certificate Trust Settings.

                                     

                                    Thank you.

                                      • Re: Private CA root certificate missing from trust settings
                                        eskimo Apple Staff Apple Staff (12,435 points)

                                        I installed a self signed cert but I cannot manually approve it because it is not showing up under Certificate Trust Settings.

                                        The bug I filed about this (r. 35071483) remains unfixed )-:  Fortunately, you can work around this by re-creating your CA certificate with a Common Name attribute.  If that doesn’t fix the problem, please post a hex dump of your certificate and I’ll take a look.

                                        Share and Enjoy

                                        Quinn “The Eskimo!”
                                        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                        let myEmail = "eskimo" + "1" + "@apple.com"

                                          • Re: Private CA root certificate missing from trust settings
                                            klarantben Level 1 Level 1 (0 points)

                                            eskimo, do you know in which release it would be fixed?
                                            Today I added the friendly name attribute (CN in Windows) to my self signed CA root cert, exported (*.cer) and imported (iOS 12.4 on iPad 6) my certificate again, but the setting is still missing.

                                             

                                            Looking forward!

                                             

                                            Benedikt

                                              • Re: Private CA root certificate missing from trust settings
                                                eskimo Apple Staff Apple Staff (12,435 points)

                                                do you know in which release it would be fixed?

                                                No.

                                                Although if your CA certificate has a Common Name and it’s still not showing up, that’s not the same problem as this.

                                                FYI, I have a custom CA certificate installed on my personal devices and I regularly install a custom CA certificate for testing on my work devices, and this feature works for me on every version of iOS that I’ve tried it on.  If your custom CA certificate is having problems, you should try creating it using a different tool.  The tool I use is Certificate Assistant, built in to macOS, as I outlined in Technote 2326 Creating Certificates for TLS Testing.

                                                Share and Enjoy

                                                Quinn “The Eskimo!”
                                                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                let myEmail = "eskimo" + "1" + "@apple.com"