iOS 11 12 and 13 installed certificates not trusted automatically self signed

Question

On our internal network  we use a self-signed CA certificate  This has worked fine for years  in both Safari and our iOS product  all the way through iOS 10  We simply install the CA certificate on any new device or simulator and everything works  even with ATS  This allows access to all of our internal test servers without having to trust each server individually   Starting with iOS 11 the installed CA certificate no longer allows Safari or our app to trust the certificate for any of the servers  We receive the following relevant details with CFNETWORK DIAGNOSTICS enabled for our app      Error Domain kCFErrorDomainCFNetwork Code -1200    kCFNetworkCFStreamSSLErrorOriginalValue -9802    kCFStreamErrorDomainKey 3    kCFStreamErrorCodeKey -9802   NSLocalizedDescription An SSL error has occurred and a secure connection to the server cannot be made    NSLocalizedRecoverySuggestion Would you like to connect to the server anyway    I spent considerable time trying to resolve this issue  scouring StackOverflow and the rest of the web  Although we use AFNetworking in our app  that seems to be irrelevant  as Safari no longer trusts these servers via the CA  Disabling ATS via NSAllowsArbitraryLoads allows access to the servers  but obviously isn t a solution   No changes have been made to our -URLSession didReceiveChallenge completionHandler code  and we have a proper  worked for years  implementation of challenge response via challenge protectionSpace serverTrust   I have re-evaluated and tested both the CA and server certificates every way I can think of  and they work everywhere except iOS 11  What might have changed in ATS for iOS 11 that could cause this issue

User · Answer

Recommended solution is to install and trust a self-signed certificate (root). Assuming you created your own CA and the hierarchy of the certificated is correct you don't need to change the server trust evaluation. This is recommended because it doesn't require any changes in the code.

Generate CA and the certificates (you can use openssl: Generating CA and self-signed certificates.
Install root certificate (*.cer file) on the device - you can open it by Safari and it should redirect you to Settings
When the certificated is installed, go to Certificate Trust Settings (Settings > General > About > Certificate Trust Settings) as in MattP answer.

If it is not possible then you need to change server trust evaluation.

More info in this document: Technical Q&A QA1948 HTTPS and Test Servers

User · Answer

Apple hand three categories of certificates: Trusted, Always Ask and Blocked. You'll encounter the issue if your certificate's type on the Blocked and Always Ask list. On Safari it show’s like:

And you can find the type of Always Ask certificates on Settings > General > About > Certificate Trust Setting

There is the List of available trusted root certificates in iOS 11

Blocking Trust for WoSign CA Free SSL Certificate G2

User · Answer

While writing this question  I discovered the answer  Installing a CA from Safari no longer automatically trusts it  I had to manually trust it from the Certificate Trust Settings panel  also mentioned in this question      I debated canceling the question  but I thought it might be helpful to have some of the relevant code and log details someone might be looking for  Also  I never encountered the issue until iOS 11  I even went back and reconfirmed that it automatically works up through iOS 10   I ve never needed to touch that settings panel before  because any installed certificates were automatically trusted  Maybe it will change by the time iOS 11 ships  but I doubt it  Hopefully this helps save someone the time I wasted   If anyone knows why this behaves differently for some people on different versions of iOS  I d love to know in comments   Update 1  Checking out the first iOS 12 beta  it looks like things remain the same  This question answer comments are still relevant on iOS 12   Update 2  Same solution seems to be needed on iOS 13 beta builds as well

User · Answer

I follow all recommendations and all requirements  I install my self signed root CA on my iPhone  I make it trusted  I put certificate signed with this root CA on my local development server and I still get certificated error on safari iOS  Working on all other platforms

User · Answer

This has happened to me also  after undating to IOS11 on my iPhone  When I try to connect to the corporate network it bring up the corporate cert and says it isn t trusted  I press the  trust  button and the connection fails and the cert does not appear in the trusted certs list

User · Answer

I ve been struggling with this for 3 days now while attempting to connect to a local API running Laravel valet  I finally figured it out  In my case I had to drag and drop over the LaravelValetCASelfSigned pem file from    config valet CA LaravelValetCASelfSigned pem  After verifying the installing within the simulator I had to go to Settings   About   Certificate Trust Settings   and Enable the Laravel Valet VA Self Signed CN  Finally working

User · Answer

If you are not seeing the certificate under General->About->Certificate Trust Settings, then you probably do not have the ROOT CA installed. Very important -- needs to be a ROOT CA, not an intermediary CA.

I just answered a question here explaining how to obtain the ROOT CA and get things to show up: How to install self-signed certificates in iOS 11

[ios] iOS 11, 12, and 13 installed certificates not trusted automatically (self signed)

The answer is

Examples related to ios

Tags