iOS 18 Bug -Certificate Trust Settings for Private Root Certificates Not Available

Business & Education Device Management Beta Device Management

Created Sep ’24

Replies 34

Boosts 18

Views 8.9k

Participants 30

Importing an existing self- signed trusted root certificate no longer triggers option to trust cert in Settings / About / Certificate Trust Settings In iOS 18.

Cert installed manually from internal website, as email attachment, and using profile in Configurator all produce same result.

Same cert and processes work on iOS 16.7.10, iOS 17.6.1 and iPadOS 18.0

But not on iOS 18.0 nor beta iOS 18.1 beta5 on iPhone 16

Also tried regening a new test root on macOS Sonoma and installing using Configurator. No difference.

It’s broken - I’ve reported it by Feedback - it’s a vital security flaw.

Anyone else see this or have a workaround?

Answered by DTS Engineer in 811930022

A quick update…

First up, thanks for all the bug reports!

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures.

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

And just to head off the inevitable follow-up question… I don’t have any info to share as to when this will be fixed. All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

bgrkl OP

A different scenario and maybe a clue to what's broken in the Mail app?

I have an iPhone16Pro that was configured from a backup of an iPhone15Pro running iOS 17.7 with the same problem. Removing the mail accounts and restarting the phone did not work. Erasing all data and starting from fresh did not work.

I'm trying to connect to a dovecot instance with a cert signed by my own root certificate.

I then created a profile with those certs and installed it on the phone that had been restored once again from the iOS17.7 backup and had the mail account removed and the phone rebooted. After I installed the profile, I can see and have enabled my root cert in the Certificate Trust Settings on the phone.

When I add the Mail account, it negotiates the SSLv3/TLSv1.3 successfully. However, when the app tries to get mail, the mail server still gets the error code indicating that the client doesn't trust the certficate.

Note: The certs continue to work with Thunderbird as the mail client on macOS Sequoia 15.0.1.

Advanced_Engineer OP

22h

I had a similar problem, but it was solved, and the root cause was the system configuration, not the certificate

DTS Engineer OP

Apple

17h

Recommended

A quick update…

First up, thanks for all the bug reports!

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Frankyy OP

12h

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures [...] … I don’t have any info to share as to when this will be fixed [...]

Glad to hear you found the root cause on your side. Take the time to properly fix it, no worries. Let us know if you need additional input.

I would also like to thank you for your open communication regarding the problem and bringing awareness of it to the developer team!