iOS 18 Bug -Certificate Trust Settings for Private Root Certificates Not Available

Got the same problem, which influence my usually work with whistle. I can't capture https package without trust the private certificate.

Trust option is not appearing Certificate Trust Settings

Yes,I also facing same issue . Tried different path but still unable to find the way. Currently , i m not able to test Apps for iOS 18.i m also waiting for this fix.

Have the same issue on iOS 18 and iOS 18.1 Public beta. There some advices on the interned, but nothing works! It's really annoying and no workaround for now.

I can’t explain the behaviour you’re seeing, but this continues to work for me. I have a personal CA that I use to issue certificates. I run this CA using Keychain Access > Certificate Assistant, using roughly the process described in Technote 2326 Creating Certificates for TLS Testing.

I just installed this CA’s root certificate on an iOS 18 device by:

1. Downloading the .cer file in Safari.

2. Importing the profile in Settings.

3. Enabling the CA in Settings > About > Certificate Trust Settings.

That is, roughly the process described in QA1948 HTTPS and Test Servers.

I was then able to use Safari to access an HTTPS server whose certificate was issued by that CA.

I’ve seen problems like this in the past and they usually involve one of two things:

• Folks trying to use a self-signed server certificate. Things go more smoothly if you create a CA, have it issue the server certificate, and then trust the CA’s root certificate.

• The CA root certificate being weirdly formed, for example, the issue described here.

I’ve reported it by Feedback

What was your bug number?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I have generated my own SSL cert using openssl. The same cert worked on iOS 17. With iOS 18, I open the certificate in Safari and import it on the iPhone. I get "The authenticity of "mydomain.com" cannot be verified." To which I then click Install. But when I go to trust the cert, it does not show up.

I use NextDNS and when I import their cert, it DOES show up to be trusted as a root CA.

Something has changed to make this no longer work with self generated certs.

In a school trust with 10000‘s of iPads . If iPad upgrades to iOS 18.0.0 MDM profile certs fail. If we disable the block on vpn we can install our jamf MDM profile with certs fine. We have 10+ year certs from Sophos xg firewall.

Link seems to be - if we block vpn our jamf MDM profile breaks and so does certs.

weird how this wasn’t picked up in testing with jamf and apple for edu customers.

a reset post upgrade to iOS 18.0.0 seems to fix it.

hope this helps others

@Dooleylastword - Why not use certificates from a real CA for production use?

I encountered the same issue. I tried to investigate different scenarios with various colleagues. If a user upgrades directly from an iPhone running iOS 16 or earlier to iOS 18, or uses the migration feature to move to iOS 18, the certificate does not appear in the Certificate Trust Settings (Full Trust for Root Certificates) list. However, the same certificate can be successfully installed on an iOS 18 device that hasn’t gone through migration or on a device that has upgraded from iOS 17 to iOS 18, where it appears normally in the Certificate Trust Settings list.

We attempted many solutions and initially thought there might be an issue with our certificate. However, we then directly installed Apple's official Apple PKI webpage (https://www.apple.com/certificateauthority/) and downloaded a certificate for testing. We found that devices with these issues also failed to display the certificate in the list for enabling it.

Currently, the only workaround is to reset the entire phone and not use the migration feature or upgrade from iOS 16 or earlier to iOS 18. Only then will the certificate display correctly in the Full Trust list. I'm not sure if this bug will be fixed.

Something has changed to make this no longer work with self generated certs.

As I mentioned earlier, installing self-signed leaf certificates it definitely taking your off the beaten path and I recommend that you not do that. Instead, set up a test CA and have it issue your leaf.

Why not use certificates from a real CA for production use?

There are lots of good reasons why organisations want to use their own internal CA. A classic example of this is that you run an internal DNS using a well-known domain, like .internal, and most standard CAs won’t issue certificates for such DNS names.

Currently, the only workaround is to reset the entire phone and not use the migration feature or upgrade from iOS 16 or earlier to iOS 18.

OK, that’s a new wrinkle.

Based on this and other threads it’s clear that folks are having significant problems here. If you’re being affected by this, I strongly recommend that you file a bug describing the issue as you see it, what diagnostics you ran, and what they revealed. It would help if you included:

• A copy of the CA certificate that you’re trying to use.

• A sysdiagnose log taken immediately after installing the certificate and seeing the problem in Settings.

Please post your bug number here.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

iosNumberOne said: Currently, the only workaround is to reset the entire phone and not >use the migration feature or upgrade from iOS 16 or earlier to iOS 18. >Only then will the certificate display correctly in the Full Trust list. I'm >not sure if this bug will be fixed.

This isn't entirely accurate. It does not work when updating from iOS 17 to 18. Had this issue on an iPhone 15 Pro and an iPad Pro 11". The existing cert and process had been used as far back as iOS 16 and it worked fine.

DTS Engineer said: As I mentioned earlier, installing self-signed leaf certificates it >definitely taking your off the beaten path and I recommend that you >not do that. Instead, set up a test CA and have it issue your leaf.

While this did work, generating my own CA and then using a cert generated from that, this was not a requirement with prior iOS versions. It needs to be spelled out in the upgrade notes if this is now a requirement. Previously, I would remove and reinstall the cert (without CA) for the last two years if it needed to be regenerated. This no longer works and is an extra step to have your own CA.

We've had 4 devices out of 1,160 that have exhibited signs of this problem. A couple of things that we've noticed;

All 4 devices where on some iOS version older then 17.x

They all would have had a profile blocking VPN

On the last one, we tried installing a profile containing the certs and the profile would install but the cert never was available to trust.

On the last one, the MDM profile was showing as unverified but the device had just checked in with the MDM a day or so before and in the MDM the expiration date looked fine.

So far it's been 3 iPhones and 1 iPad that were affected

With our devices being almost 100% remote, I've not been able to get a sysdiagnose log.

We have found that the only way to recover is by doing an Erase All Contents and Settings.

It needs to be spelled out in the upgrade notes if this is now a requirement.

That’s not what I said. Quoting myself here:

it [takes] your off the beaten path and I recommend that you not do that.

My point is that the having a custom CA that issues certificates for internal servers is a well-trodden path that’s exercised a lot. Speaking personally, I’m pretty sure that works because I use this technique for my own server!

That’s not claiming that this is “now a requirement”, or that installing a leaf certificate is unsupported.

Regardless, the issue being reported on this thread is that, in situations we don’t yet understand, the custom CA path isn’t working. To move forward with that issue, we need some bug reports.

Chivalry0499, Thanks for sharing that info.

With our devices being almost 100% remote, I've not been able to get a sysdiagnose log.

Oh, tricky.

One option that might work for you is to ask a user to file their own bug report. They can do that using the Feedback Assistant app, even on stock versions of iOS. The app is hidden, but you can start it by opening an applefeedback: URL, for example, applefeedback://start.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@DTS Engineer Hi Quinn. Just wondering if you had a chance to review my bug report and whether the problem is now recognised as a bug. The device in question had been upgraded from iOS 16 so I guess it’s some interaction with the restore process. The device had previously had the related cert installed and working.

Any further info you require?

@DTS Engineer

Hi Quinn

I had some time today to do some more testing to help narrow down the problem. It does appear to be related to restoring a backup from a previous iOS version (in my case iOS 16.7.10.

I did two strands of tests, one to confirm the correct behaviour in a iOS 18 environment, and second restoring various backups created from the original phone after removing both the cert and trust and from the non-working iOS 18 system

• first resetting the phone, seeing if the cert was handled correctly (it was) and then trying a fresh backup and restore to see it was something fundamental in the restore process. This worked exactly as desired. I was surprised to see that the restore process preserved both the configuration profile and its trust so there is obviously some code in the restore process that attempts to restore that aspect which is failing on a non-iOS 18 backup and introducing some sort of corruption into the certificate store?

• second, I removed the cert from the old iOS 16.8 iPhone completely (turned off trust and removed configuration profile). There are no (other) certificates on the phone. I created a new fresh backup and restoring that to the new iPhone 16 got me back to where I started. The cert loaded OK but fails to appear in "Certificate Trust Settings"

** So the bug potentially appears to be in the processing of iOS 18's restore from backup where the backup is from iOS 16 (and given other users feedback) or iOS 17. **

Resetting the phone = "Erase All Contents and Settings"

Loading the cert = Installing the relevant configuration profile created by opening the CER file in Files.

Hope this helps

Yes. But obviously all user customizations and locally saved data is lost. You’ll need to manually reinstall everything - which is a bit onerous. Best take a backup in case it goes wrong. Pity there is no facility to partially restore all data and config

A very significant portion of our user base is experiencing issues with CA certificates not being trusted anymore after updating to iOS 18. This problem was not present in previous iOS versions.

Most users said to be reproducing the issue just by updating to iOS 18. But it does not always happen, and the pattern is not clear.

We were able to reproduce the issue once, and did some investigation:

Any previously installed and trusted CA certificate, prior to reproducing the issue, stopped working. It looks like they are not trusted anymore:

1. They are no longer showing in the 'Certificate Trust Settings' screen. Just the 'Trust Store Version' and the 'Trust Asset Version' are showing there.
2. When trying to check if a certificate is trusted programmatically with SecTrustEvaluateWithError, we get the following error:

Error Code: -67843
Localized Description: "CA Name" certificate is not trusted
NSUnderlyingError: Error Domain=NSOSStatusErrorDomain Code=-67843 "Certificate 0 "CA Name" has errors: Root is not trusted;" UserInfo={NSLocalizedDescription=Certificate 0 "CA Name" has errors: Root is not trusted;}
NSLocalizedDescription: "CA Name" certificate is not trusted

Before reproducing the issue, the CA certificate was showing as trusted in the 'Trust Store Version', and the same piece of code that evaluates if the certificate is trusted (SecTrustEvaluateWithError) was returning that the certificate was trusted.

And although it's possible to install new CA certificates profiles, they never show in the 'Certificate Trust Settings' screen. We tried with several CA certificates, our own and other ones publicly available.

Both cases were reproduced for CA certificates installed:

• Through an MDM profile
• By opening the CA cert URL in Safari and installing it manually from settings

The only way of fixing the issue was through 'Erase All Content and Settings' option. Several things we attempted without success were:

• Erasing all settings (without erasing content/data)
• Removing all the profiles and installing them again

Additional notes:

• We did an iPhone backup after reproducing the issue. If at this point we 'Erase All Content and Settings', then the issue is gone. But if we restore again from this backup, the issue happens again.

We already filed a bug FB15386539 (CA certificates not being trusted) and attached the sysdiagnose log that was generated after installing the profile.

Thanks.

We already filed a bug FB15386539 and attached the sysdiagnose log that was generated after installing the profile.

Thanks.

Just wondering if you had a chance to review my bug report and whether the problem is now recognised as a bug.

Thanks for filing FB15253427.

I hadn’t seen it until now )-: because it was buried away in a comment. I generally recommend that you use replies for critical info like that. See Quinn’s Top Ten DevForums Tips for an explanation as to why.

I had some time today to do some more testing to help narrow down the problem. It does appear to be related to restoring a backup from a previous iOS version (in my case iOS 16.7.10.

Interesting. I’d appreciate you updating your bug with new info as you discover it. That’s the best way to make sure that the folks investigating this have access to it.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

We've reproduced this at our organization as well with a few devices, the common theme appears to be skipping over iOS 16 (either via restoring from backup from iOS 16, or directly upgrading the device from iOS 16 -> iOS 18.

Created FB15442633 with screenshots/sysdiagnose.

We've reproduced this bug at our application with a few devices. Toggle missing on Certificate Trust Settings screen after installing the our certificate on iOS 18

Created FB15517899 with screenshots/sysdiagnose.

I have the same problem. I upgraded my iPhone 13 from iOS 16 to iOS 18 yesterday, and then I couldn't find the Quantumult X certificate in the trust settings.

I believe I am in the same situation as others here. Let me know if this is different. I have a letsencrypt cert for my fqhn.com that I can connect to from outside local LAN (I host this machine on my local LAN). I have a local LAN dns that points to the same fqhn.com but IP is translated to a local IP Address for connections. Other devices (Linux or OpenSSL, curl) can connect to my fqhn.com on local LAN fine. when I try any apple device on wifi/local LAN I get an error “Safari can’t open the page because it couldn’t establish a secure connection to the server”. When I turn wifi off on one of these devices which is an iPhone and use my ISP to connect to fqhn.com, the website loads fine. I assume this is same issue where the cert is no longer trusted.

Hello,

We have tried various ways to solve this issue to our customers; removing certs, reinstalling, over-riding the existing ones... and we have not being able to find a workaround to provide some steps to our customers to solve it.

The issue is quite impactful and worrisome on our side, so I wonder,

1. Have a workaround for the issue being identified (besides performing a factory reset)?

2. How could we get to know an estimation from Apple to fix it? We are trying all the Beta updates hoping to have the issue fixed, but it looks like it won't be fixed in the upcoming release. So far it is unclear even if this issue is going to be fixed.

For now I feel we can only cross fingers. Bests.

Not fixed with iOS 18.1. I was hoping it would be, because this problem sounds suspiciously similar:

Fixes an issue where digital car keys may not unlock or start a vehicle with passive entry after restoring from a backup or transferring directly from another iPhone

Also getting this issue with installed certificates not appearing in the Trust Store after upgrading my iPhone from an iPhone 8 to an iPhone 11 using the Quick Start utility. This is quite critical as I use mTLS with my own PKI to authenticate to some internal websites and this is now broken.

Thanks @om-q for the investigation - if we still don’t have a workaround in a few weeks then it seems like erasing all settings will fix the issue although I obviously wouldn’t prefer this option!

Is there any ETA for a fix on this?