iOS 18 Bug -Certificate Trust Settings for Private Root Certificates Not Available

Written by me We've reproduced this bug at our application with a few devices. Toggle missing on Certificate Trust Settings screen after installing the our certificate on iOS 18 Created FB15517899 with screenshots/sysdiagnose.

I posted this once, but I tested it again and confirmed that the bug still occurs on the latest OS.

Test Environment:

• Device: iPad 10
• OS: iPadOS 18.1 RC (22B82)

Step:

1. Downloading the .cer file from Safari
2. the configuration profile is listed in Settings > General > VPN & Device Management
3. Toggle missing on Certificate Trust in Settings > About > Certificate Trust Settings

Bug report: FB15517899

I would like to know if there is a resolution, workaround, or prospect of resolving this issue.

Same issue on iOS 18.0.1 when adding IPSec IKEv2 profile through MDM with CA certificate in the payload.

Bug report: FB15608088

I have filed several feedback reports on this going all the way back to iPadOS 16: FB14461493, FB12041189, and FB11724692 at least. One requested the actual certificate rather than the text listing from OpenSSL. None have been closed.

My experience is that if the device can run iPadOS 15 or less, there isn’t a problem with trusting the root cert. if it was installed in iPadOS15 or earlier and trusted, it will stay trusted even if the certificate is updated, through upgrades up to iPadOS 18.1. Unfortunately, that’s not a viable solution if you’re a device to new to do the old install (M2 and later).

Often, the certificates will give an error message, but not give you any option to even trust the certificate signed by the self-signed root. Other times it eventually “just works” and stops complaining. But not always. The most persistent problem I have is with an imap server. Today it seemed at least on a test teablet (which does have the cert installed and trusted). The pop client worked whereas the imap client has chronically failed even with the trusted root. I then upgrade my regular muchane running iPadOS 17 with the imap server (but not with the root installed as it’s an M2 that could never ru pre-iPadOS16), and the unap server still fails. I will try switching to the pop server To see if that works. Both servers run on the same machine, so cers are really all the same.

Some of our customers experienced the issue. We asked them to install Apple Root CA from Apple PKI into an affected device. They could install it, but could not trust it. Filed FB15621457 with screenshots and sysdiagnose.

@DTS Engineer

I can second the issue and suspect it to have something to do with restore/update from an older iOS device when the certificate is already present on the older device.

Here are the steps to reproduce the issue for me:

• Bought a new iPhone 16 Pro
• Restored the iPhone 16 Pro (iOS 18.1) from an iPhone 7 (iOS 15.8.3) backup
• The iPhone 7 already had a custom (working!) root CA certificate installed
• The root CA certificate was not present after the restore on the iPhone 16 Pro
• Re-Installed the root CA by (1) downloading the certificate via Safari and opening it via the Files app on the iPhone 16 Pro
• Profile is successfully registered in settings -> general -> VPN & Device Management on the iPhone 16 Pro
• No triggers option to trust the certificate in Settings / About / Certificate Trust Settings on the iPhone 16 Pro though

Unfortunately, I cannot file a bug report because the login via URL "applefeedback://start" to the Apple Feedback app does not work with my Apple ID login.

A different scenario and maybe a clue to what's broken in the Mail app?

I have an iPhone16Pro that was configured from a backup of an iPhone15Pro running iOS 17.7 with the same problem. Removing the mail accounts and restarting the phone did not work. Erasing all data and starting from fresh did not work.

I'm trying to connect to a dovecot instance with a cert signed by my own root certificate.

I then created a profile with those certs and installed it on the phone that had been restored once again from the iOS17.7 backup and had the mail account removed and the phone rebooted. After I installed the profile, I can see and have enabled my root cert in the Certificate Trust Settings on the phone.

When I add the Mail account, it negotiates the SSLv3/TLSv1.3 successfully. However, when the app tries to get mail, the mail server still gets the error code indicating that the client doesn't trust the certficate.

Note: The certs continue to work with Thunderbird as the mail client on macOS Sequoia 15.0.1.

I had a similar problem, but it was solved, and the root cause was the system configuration, not the certificate

A quick update…

First up, thanks for all the bug reports!

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures.

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

And just to head off the inevitable follow-up question… I don’t have any info to share as to when this will be fixed. All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures [...] … I don’t have any info to share as to when this will be fixed [...]

Glad to hear you found the root cause on your side. Take the time to properly fix it, no worries. Let us know if you need additional input.

I would also like to thank you for your open communication regarding the problem and bringing awareness of it to the developer team!

I can not add a cert generated by lets-encrypt. I assume this is the same issue as described here?

Thanks

Hey forum people, I was wondering if this is still an issue in iOS 18.1 and if it is how or if I fix it on my iPhone 15? I am happy to answer any and all questions concerning this issue. Thank you for taking the time to answer my question.

I can not add a cert generated by lets-encrypt. I assume this is the same issue as described here?

No. This thread is about adding trusted root certificates. You might, for example, want to do this if you’re managing a large organisation and you want to run an internal CA that issues certificates for your internal infrastructure.

Let’s Encrypt issues leaf certificates for servers on the public Internet. Its root certificate is trusted by default.

I was wondering if this is still an issue in iOS 18.1

Quoting myself here:

All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

in case some see those errors in dovcot logs, it seems related to this issue SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46

Strongly waiting a resolution !

@DTS Engineer Any update regarding iOS 18.2b2?

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures.

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

I can confirm that one of my devices that had the issue was updated from iOS 17 to iOS 18. The device is still broken and I am trying every update available and still waiting for the OS update that fixes the issue.

Heads up @DTS Engineer because the issue is not only related to iOS 16 or earlier, so it could happen that folks are not spotting the issue but something different. Hope this nuance can help to solve the issue.

Thank you, Sergio.

Someone asked about this in a separate context so I figured I’d post a quick update here. Unfortunately there’s not much to say. Yesterday we started seeding iOS 18.2b3 (22C5131e) and it doesn’t contain the fix for this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

We have had this same issue on 18.0, 18.0.1 and 18.1 when upgrading an iPhone and when pre-installed on a new iPhone. This blocks our customers from using our app. The only work around seems to be a factory reset, which is a very harsh thing to tell a customer.

More and more users are experiencing problems now. Will this issue be fixed in iOS 18.2 version?

Any update ?

It seems iOS 18 change something internal about CA security framework, when user update OTA from iOS 17, the CA cert no longer exits on “Certificate Trust Settings”

I do think it’s a huge bug regression, since iOS promised to allows user to upgrade to the latest version as quickly as possible, but this annoying bug is shipped to official iOS 18 version and non-QA test for this case.

The current ugly solution without totally reset the iPhone, is to edit the backup file via third-party Mac App to edit the sqlite database and plist file, which is more complicated for the end-user.

The ugly solution to use backup file and extract the old cert on your iPhone without jb

https://apple.stackexchange.com/questions/300203/how-can-i-delete-a-certificate-that-got-restored-from-a-backup-under-ios-10-11

Then, send this cert to your iPhone running iOS 18 and enable again, it should appears on Trust Setting page. You can remove it and reinstall with the new one.

When can it be fixed? Can apple engineer help to escalate the issue? Thanks.

FINALLY I fixed it without resetting my iPad/iPhone, by using the Edit Backup file and restore, from the third-party Mac App you know.

1. Backup your device running iOS 18
2. Use Mac App to extract the backup files
3. Remove the MobileDeviceDomain, KeychainDomain, ProtectedDomain, 3 folders
4. Restore the edite backup to your device

Done. https://twitter.com/DreamingPiggy/status/1857459220091908594

@DTS Engineer - Hey Quinn,

I just upgraded from an iPhone 13 (which had my custom CA root installed and trusted) using Apple's upgrade path (backed everything up to iCloud, put the phones next to each other, and let them do their thing). The install did not include the root cert from the iPhone 13.

I am testing the waters before any of my users try this, and I am stuck. I am stymied by the lack of root cert trust settings in 18.1, which keeps OpenVPN from connecting to my private network. This completely breaks remote access, for me (and for any of my users that might upgrade to a new phone), as it hangs on verifying the OpenVPN server certificate.

Before I distribute (dangerously) altered OpenVPN profiles that do not try to verify the certificate, is there an ETA for a fix?? Thanks!

An update - I discovered that installing a certificate from HTTPS sites (vs. email, which I had been trying) works. OpenVPN accepts this certificate even though it is not trusted, which lets me work around the connecting from outside issue.

What this does not solve is every internal website or service using my custom CA's signed certificates shows up as untrusted. This is a pain, and I really hope it is fixed soon!

Slightly different angle. Installed 18.1.1 on a six month old iPad. After rebooting get a message about an untrusted certificate which expired in 2016 - related to an email no longer used email server. There does not seem to be an option to list and delete certificates. Nothing under VPN and Device Management.