iOS 18 Bug -Certificate Trust Settings for Private Root Certificates Not Available

Importing an existing self- signed trusted root certificate no longer triggers option to trust cert in Settings / About / Certificate Trust Settings In iOS 18.

Cert installed manually from internal website, as email attachment, and using profile in Configurator all produce same result.

Same cert and processes work on iOS 16.7.10, iOS 17.6.1 and iPadOS 18.0

But not on iOS 18.0 nor beta iOS 18.1 beta5 on iPhone 16

Also tried regening a new test root on macOS Sonoma and installing using Configurator. No difference.

It’s broken - I’ve reported it by Feedback - it’s a vital security flaw.

Anyone else see this or have a workaround?

Answered by DTS Engineer in 811930022

A quick update…

First up, thanks for all the bug reports!

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures.

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

And just to head off the inevitable follow-up question… I don’t have any info to share as to when this will be fixed. All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes. But obviously all user customizations and locally saved data is lost. You’ll need to manually reinstall everything - which is a bit onerous. Best take a backup in case it goes wrong. Pity there is no facility to partially restore all data and config

A very significant portion of our user base is experiencing issues with CA certificates not being trusted anymore after updating to iOS 18. This problem was not present in previous iOS versions.

Most users said to be reproducing the issue just by updating to iOS 18. But it does not always happen, and the pattern is not clear.

We were able to reproduce the issue once, and did some investigation:

Any previously installed and trusted CA certificate, prior to reproducing the issue, stopped working. It looks like they are not trusted anymore:

  1. They are no longer showing in the 'Certificate Trust Settings' screen. Just the 'Trust Store Version' and the 'Trust Asset Version' are showing there.
  2. When trying to check if a certificate is trusted programmatically with SecTrustEvaluateWithError, we get the following error:
Error Code: -67843
Localized Description: "CA Name" certificate is not trusted
NSUnderlyingError: Error Domain=NSOSStatusErrorDomain Code=-67843 "Certificate 0 "CA Name" has errors: Root is not trusted;" UserInfo={NSLocalizedDescription=Certificate 0 "CA Name" has errors: Root is not trusted;}
NSLocalizedDescription: "CA Name" certificate is not trusted

Before reproducing the issue, the CA certificate was showing as trusted in the 'Trust Store Version', and the same piece of code that evaluates if the certificate is trusted (SecTrustEvaluateWithError) was returning that the certificate was trusted.

And although it's possible to install new CA certificates profiles, they never show in the 'Certificate Trust Settings' screen. We tried with several CA certificates, our own and other ones publicly available.

Both cases were reproduced for CA certificates installed:

  • Through an MDM profile
  • By opening the CA cert URL in Safari and installing it manually from settings

The only way of fixing the issue was through 'Erase All Content and Settings' option. Several things we attempted without success were:

  • Erasing all settings (without erasing content/data)
  • Removing all the profiles and installing them again

Additional notes:

  • We did an iPhone backup after reproducing the issue. If at this point we 'Erase All Content and Settings', then the issue is gone. But if we restore again from this backup, the issue happens again.

We already filed a bug FB15386539 (CA certificates not being trusted) and attached the sysdiagnose log that was generated after installing the profile.

Thanks.

We already filed a bug FB15386539 and attached the sysdiagnose log that was generated after installing the profile.

Thanks.

Just wondering if you had a chance to review my bug report and whether the problem is now recognised as a bug.

Thanks for filing FB15253427.

I hadn’t seen it until now )-: because it was buried away in a comment. I generally recommend that you use replies for critical info like that. See Quinn’s Top Ten DevForums Tips for an explanation as to why.

I had some time today to do some more testing to help narrow down the problem. It does appear to be related to restoring a backup from a previous iOS version (in my case iOS 16.7.10.

Interesting. I’d appreciate you updating your bug with new info as you discover it. That’s the best way to make sure that the folks investigating this have access to it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

We've reproduced this at our organization as well with a few devices, the common theme appears to be skipping over iOS 16 (either via restoring from backup from iOS 16, or directly upgrading the device from iOS 16 -> iOS 18.

Created FB15442633 with screenshots/sysdiagnose.

We've reproduced this bug at our application with a few devices. Toggle missing on Certificate Trust Settings screen after installing the our certificate on iOS 18

Created FB15517899 with screenshots/sysdiagnose.

I have the same problem. I upgraded my iPhone 13 from iOS 16 to iOS 18 yesterday, and then I couldn't find the Quantumult X certificate in the trust settings.

I believe I am in the same situation as others here. Let me know if this is different. I have a letsencrypt cert for my fqhn.com that I can connect to from outside local LAN (I host this machine on my local LAN). I have a local LAN dns that points to the same fqhn.com but IP is translated to a local IP Address for connections. Other devices (Linux or OpenSSL, curl) can connect to my fqhn.com on local LAN fine. when I try any apple device on wifi/local LAN I get an error “Safari can’t open the page because it couldn’t establish a secure connection to the server”. When I turn wifi off on one of these devices which is an iPhone and use my ISP to connect to fqhn.com, the website loads fine. I assume this is same issue where the cert is no longer trusted.

Hello,

We have tried various ways to solve this issue to our customers; removing certs, reinstalling, over-riding the existing ones... and we have not being able to find a workaround to provide some steps to our customers to solve it.

The issue is quite impactful and worrisome on our side, so I wonder,

  1. Have a workaround for the issue being identified (besides performing a factory reset)?

  2. How could we get to know an estimation from Apple to fix it? We are trying all the Beta updates hoping to have the issue fixed, but it looks like it won't be fixed in the upcoming release. So far it is unclear even if this issue is going to be fixed.

For now I feel we can only cross fingers. Bests.

Not fixed with iOS 18.1. I was hoping it would be, because this problem sounds suspiciously similar:

Fixes an issue where digital car keys may not unlock or start a vehicle with passive entry after restoring from a backup or transferring directly from another iPhone

Also getting this issue with installed certificates not appearing in the Trust Store after upgrading my iPhone from an iPhone 8 to an iPhone 11 using the Quick Start utility. This is quite critical as I use mTLS with my own PKI to authenticate to some internal websites and this is now broken.

Thanks @om-q for the investigation - if we still don’t have a workaround in a few weeks then it seems like erasing all settings will fix the issue although I obviously wouldn’t prefer this option!

Is there any ETA for a fix on this?

Written by me We've reproduced this bug at our application with a few devices. Toggle missing on Certificate Trust Settings screen after installing the our certificate on iOS 18 Created FB15517899 with screenshots/sysdiagnose.

I posted this once, but I tested it again and confirmed that the bug still occurs on the latest OS.

Test Environment:

  • Device: iPad 10
  • OS: iPadOS 18.1 RC (22B82)

Step:

  1. Downloading the .cer file from Safari
  2. the configuration profile is listed in Settings > General > VPN & Device Management
  3. Toggle missing on Certificate Trust in Settings > About > Certificate Trust Settings

Bug report: FB15517899

I would like to know if there is a resolution, workaround, or prospect of resolving this issue.

Same issue on iOS 18.0.1 when adding IPSec IKEv2 profile through MDM with CA certificate in the payload.

Bug report: FB15608088

I have filed several feedback reports on this going all the way back to iPadOS 16: FB14461493, FB12041189, and FB11724692 at least. One requested the actual certificate rather than the text listing from OpenSSL. None have been closed.

My experience is that if the device can run iPadOS 15 or less, there isn’t a problem with trusting the root cert. if it was installed in iPadOS15 or earlier and trusted, it will stay trusted even if the certificate is updated, through upgrades up to iPadOS 18.1. Unfortunately, that’s not a viable solution if you’re a device to new to do the old install (M2 and later).

Often, the certificates will give an error message, but not give you any option to even trust the certificate signed by the self-signed root. Other times it eventually “just works” and stops complaining. But not always. The most persistent problem I have is with an imap server. Today it seemed at least on a test teablet (which does have the cert installed and trusted). The pop client worked whereas the imap client has chronically failed even with the trusted root. I then upgrade my regular muchane running iPadOS 17 with the imap server (but not with the root installed as it’s an M2 that could never ru pre-iPadOS16), and the unap server still fails. I will try switching to the pop server To see if that works. Both servers run on the same machine, so cers are really all the same.

Some of our customers experienced the issue. We asked them to install Apple Root CA from Apple PKI into an affected device. They could install it, but could not trust it. Filed FB15621457 with screenshots and sysdiagnose.

@DTS Engineer

I can second the issue and suspect it to have something to do with restore/update from an older iOS device when the certificate is already present on the older device.

Here are the steps to reproduce the issue for me:

  • Bought a new iPhone 16 Pro
  • Restored the iPhone 16 Pro (iOS 18.1) from an iPhone 7 (iOS 15.8.3) backup
  • The iPhone 7 already had a custom (working!) root CA certificate installed
  • The root CA certificate was not present after the restore on the iPhone 16 Pro
  • Re-Installed the root CA by (1) downloading the certificate via Safari and opening it via the Files app on the iPhone 16 Pro
  • Profile is successfully registered in settings -> general -> VPN & Device Management on the iPhone 16 Pro
  • No triggers option to trust the certificate in Settings / About / Certificate Trust Settings on the iPhone 16 Pro though

Unfortunately, I cannot file a bug report because the login via URL "applefeedback://start" to the Apple Feedback app does not work with my Apple ID login.

iOS 18 Bug -Certificate Trust Settings for Private Root Certificates Not Available
 
 
Q