iOS 18 Bug -Certificate Trust Settings for Private Root Certificates Not Available

Business & Education Device Management Beta Device Management

Created Sep ’24

Replies 53

Boosts 29

Views 18k

Participants 47

Importing an existing self- signed trusted root certificate no longer triggers option to trust cert in Settings / About / Certificate Trust Settings In iOS 18.

Cert installed manually from internal website, as email attachment, and using profile in Configurator all produce same result.

Same cert and processes work on iOS 16.7.10, iOS 17.6.1 and iPadOS 18.0

But not on iOS 18.0 nor beta iOS 18.1 beta5 on iPhone 16

Also tried regening a new test root on macOS Sonoma and installing using Configurator. No difference.

It’s broken - I’ve reported it by Feedback - it’s a vital security flaw.

Anyone else see this or have a workaround?

Answered by DTS Engineer in 811930022

A quick update…

First up, thanks for all the bug reports!

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures.

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

And just to head off the inevitable follow-up question… I don’t have any info to share as to when this will be fixed. All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

bgrkl OP

A different scenario and maybe a clue to what's broken in the Mail app?

I have an iPhone16Pro that was configured from a backup of an iPhone15Pro running iOS 17.7 with the same problem. Removing the mail accounts and restarting the phone did not work. Erasing all data and starting from fresh did not work.

I'm trying to connect to a dovecot instance with a cert signed by my own root certificate.

I then created a profile with those certs and installed it on the phone that had been restored once again from the iOS17.7 backup and had the mail account removed and the phone rebooted. After I installed the profile, I can see and have enabled my root cert in the Certificate Trust Settings on the phone.

When I add the Mail account, it negotiates the SSLv3/TLSv1.3 successfully. However, when the app tries to get mail, the mail server still gets the error code indicating that the client doesn't trust the certficate.

Note: The certs continue to work with Thunderbird as the mail client on macOS Sequoia 15.0.1.

Advanced_Engineer OP

I had a similar problem, but it was solved, and the root cause was the system configuration, not the certificate

DTS Engineer OP

Apple

Recommended

A quick update…

First up, thanks for all the bug reports!

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Frankyy OP

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures [...] … I don’t have any info to share as to when this will be fixed [...]

Glad to hear you found the root cause on your side. Take the time to properly fix it, no worries. Let us know if you need additional input.

I would also like to thank you for your open communication regarding the problem and bringing awareness of it to the developer team!

KDBaumann OP

I can not add a cert generated by lets-encrypt. I assume this is the same issue as described here?

Thanks

FinnG15 OP

Hey forum people, I was wondering if this is still an issue in iOS 18.1 and if it is how or if I fix it on my iPhone 15? I am happy to answer any and all questions concerning this issue. Thank you for taking the time to answer my question.

DTS Engineer OP

Apple

I can not add a cert generated by lets-encrypt. I assume this is the same issue as described here?

No. This thread is about adding trusted root certificates. You might, for example, want to do this if you’re managing a large organisation and you want to run an internal CA that issues certificates for your internal infrastructure.

Let’s Encrypt issues leaf certificates for servers on the public Internet. Its root certificate is trusted by default.

I was wondering if this is still an issue in iOS 18.1

Quoting myself here:

All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

mhdg OP

in case some see those errors in dovcot logs, it seems related to this issue SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46

Strongly waiting a resolution !

chkpnt OP

@DTS Engineer Any update regarding iOS 18.2b2?

invi OP

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures.

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

I can confirm that one of my devices that had the issue was updated from iOS 17 to iOS 18. The device is still broken and I am trying every update available and still waiting for the OS update that fixes the issue.

Heads up @DTS Engineer because the issue is not only related to iOS 16 or earlier, so it could happen that folks are not spotting the issue but something different. Hope this nuance can help to solve the issue.

Thank you, Sergio.

DTS Engineer OP

Apple

Someone asked about this in a separate context so I figured I’d post a quick update here. Unfortunately there’s not much to say. Yesterday we started seeding iOS 18.2b3 (22C5131e) and it doesn’t contain the fix for this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

jmitchella2u OP

We have had this same issue on 18.0, 18.0.1 and 18.1 when upgrading an iPhone and when pre-installed on a new iPhone. This blocks our customers from using our app. The only work around seems to be a factory reset, which is a very harsh thing to tell a customer.

dapengw OP

More and more users are experiencing problems now. Will this issue be fixed in iOS 18.2 version?

DreamPiggy OP

Any update ?

It seems iOS 18 change something internal about CA security framework, when user update OTA from iOS 17, the CA cert no longer exits on “Certificate Trust Settings”

I do think it’s a huge bug regression, since iOS promised to allows user to upgrade to the latest version as quickly as possible, but this annoying bug is shipped to official iOS 18 version and non-QA test for this case.

The current ugly solution without totally reset the iPhone, is to edit the backup file via third-party Mac App to edit the sqlite database and plist file, which is more complicated for the end-user.

DreamPiggy OP

The ugly solution to use backup file and extract the old cert on your iPhone without jb

https://apple.stackexchange.com/questions/300203/how-can-i-delete-a-certificate-that-got-restored-from-a-backup-under-ios-10-11

Then, send this cert to your iPhone running iOS 18 and enable again, it should appears on Trust Setting page. You can remove it and reinstall with the new one.