How to install self-signed certificates in iOS 11

Question

I\'ve been using self-signed certificates in the intranet of my small office and after upgrading to iOS 11, the certificates does not work for me. (Chrome and other browsers

Answer 1

Just use following command then airdrop or send yourself that cert via email. Make sure to answer all the questions when you see prompts

openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer

I had same issue until I used this command. I don't know why this happens but the command works. Cheers!

Answer 2

If you are not seeing the certificate under General->About->Certificate Trust Settings, then you probably do not have the ROOT CA installed. Very important -- needs to be a ROOT CA, not an intermediary CA.

This is very easy to determine by using openssl:

$ openssl s_client -showcerts -connect myserver.com:443 </dev/null

This will show you output for certificates in the cert chain, something like this:

    Certificate chain
     0 s:/C=US/ST=California/L=SAN FRANCISCO/O=mycompany.com, inc./OU=InfraSec/CN=myserver.com
       i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal CA 1A
    -----BEGIN CERTIFICATE-----
    ....encoded cert in PEM format....
    -----END CERTIFICATE-----

And it should show a chain of certs all the way to the ROOT CA. Keep following the output, paying attention to the "i:" value which indicates the ISSUER. Finally, you should get to the ROOT CA and can just copy-paste it to a .pem file (be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines!). Now you will be able to install it on your simulator by dragging-dropping onto simulator window.

If your ROOT CA is not listed, then find the top level in the output, then export it from Keychain Access.app. This assumes you are able to hit the website via Safari/Chrome, so you will have had to manually trust the website first.

My 'openssl s_client' output ended with the last cert shown with an issuer like this:

i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal Root CA 1

I am able to hit the target website successfully via Safari/Chrome, so that means Keychain has it stored and trusts it. So, I just launched Keychain Access.app via Spotlight and typed "mycompany" in the search bar. It showed my certificate (Kind=certificate) for "mycompany.com Internal Root CA 1". I just right clicked and selected "Export" and saved it to a .cer file.

Voila! Now I can drag-n-drop it onto my simulator and the ROOT CA will show up under General->About... and I can enable it.

If, for some reason you need to convert PEM file to DER/CER, just use this command:

$ openssl x509 -in myfile.pem -out myfile.der -outform DER

Hope this helps, I've had to do this dozens of times and figured it's about time I jot down some notes so I don't keep forgetting.

Answer 3

Apparently ios does not like certificates without Common Name, so just regenerate it with non empty CN and it will appear in root certificates list