Private CA root certificate missing from trust settings

I have created a private CA for testing an iOS application. I have installed the root certificate on the simulator and on my iPhone 6s. In both places, the profile says that the certificate is installed and verified. However, it does not show up in the Certificate Trust Settings. I have tried to install the certificate in both PEM and DER formats. Neither works.


Any help would be appreciated.

Post not yet marked as solved Up vote post of swbrenneis Down vote post of swbrenneis
8.5k views

Answers

What process did you employ to install, in both examples?

I used the methods outlined in this Technical Q&A:


https://developer.apple.com/library/content/qa/qa1948/_index.html


On the simulator I used the drag-and-drop method. On the iPhone I accessed the certificate from my website.

I’ve recently been working on an update to QA1948 and so testing this stuff a lot. Except for a problem with watchOS 4 (r. 34652068) everything else seems to be is working fine.

Can you post a link to (or a hex dump of) the CA certificate you’re trying to install?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I have been trying to post a link to the certificate, but the replies say, "Currently being moderated." The first one said that for almost 24 hours. Does it normally take that long to moderate a reply? I guess it's because the reply includes a link. Hopefully this one will get through.


The PEM for the cert is at pippip dot io slash rootcert slash ca.cert.pem.

Can take a few days, or never...depends on mods. Note not all outbound urls are banned, tho. For those that are, try breaking it, like this:


h ttp://cnn.com

Post not yet marked as solved Up vote reply of KMT Down vote reply of KMT

Does it normally take that long to moderate a reply?

It can take a while. However, if it’s a thread I’m actively looking at then I’ll approve the post the next time I swing by the thread, so it doesn’t actually cause any real delay.

Or, as KMT suggested, you can disguise the URL.

The PEM for the cert is at pippip dot io slash rootcert slash ca.cert.pem.

Well, that was interesting. I looked at the certificate and couldn’t see any obvious issues with it. I then installed it on my device and replicated the problem you’re seeing. My own test certificate is visible in Certificate Trust Settings but yours is MIA. Weird.

I eventually tracked this down to the certificate common name. It seems that Certificate Trust Settings uses the certificate’s common name as the cell title, and if the certificate doesn’t have a common name then it just gets dropped )-: This is most definitely a bug and you should file it as such. Please post your bug number so that I can add my analysis to it.

If you have control over the root certificate in question you could get around this by re-issuing it with a common name. Creating your certificate with Certificate Authority (see TN2326) makes this easy.

If not, I suspect the only option is to install the certificate via MDM, where you’re not required to manually approve it.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

This is most definitely a bug and you should file it as such.

Just FYI, I ended up filing my own bug about this (r. 35071483).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you, sir.


Sorry for the late response. I was wrestling with a certificate issue on the Amazon API gateway. I'll not post a long rant with my opinion of the PKI. 😉


I checked the original root cert and it is, indeed, missing the CN. Way back at the dawn of time, we didn't put CNs on the root cert because they would never be used for any kind of physical verification, i.e. DNS lookup. When the root cert is reissued, I will make sure that it has a CN.


Again, thank you for your help.

we didn't put CNs on the root cert because they would never be used for any kind of physical verification

Right. I’ve seen other root certificates within a Common Name entry, so I think that’s allowed. IMO this is a bug in the Certificate Trust Settings, which is why I filed a bug against it.

When the root cert is reissued, I will make sure that it has a CN.

Cool. Glad you have a decent workaround option.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi,


I am experiencing the same problem with my iPhone 7 plus running software version 12.4.

I installed a self signed cert but I cannot manually approve it because it is not showing up under Certificate Trust Settings.


Thank you.

I installed a self signed cert but I cannot manually approve it because it is not showing up under Certificate Trust Settings.

The bug I filed about this (r. 35071483) remains unfixed )-: Fortunately, you can work around this by re-creating your CA certificate with a Common Name attribute. If that doesn’t fix the problem, please post a hex dump of your certificate and I’ll take a look.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

eskimo, do you know in which release it would be fixed?
Today I added the friendly name attribute (CN in Windows) to my self signed CA root cert, exported (*.cer) and imported (iOS 12.4 on iPad 6) my certificate again, but the setting is still missing.


Looking forward!


Benedikt

do you know in which release it would be fixed?

No.

Although if your CA certificate has a Common Name and it’s still not showing up, that’s not the same problem as this.

FYI, I have a custom CA certificate installed on my personal devices and I regularly install a custom CA certificate for testing on my work devices, and this feature works for me on every version of iOS that I’ve tried it on. If your custom CA certificate is having problems, you should try creating it using a different tool. The tool I use is Certificate Assistant, built in to macOS, as I outlined in Technote 2326 Creating Certificates for TLS Testing.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Hello,

I am still having this issue and I'm not able to recreate a certificate...

Is this planned any soon ?

Thanks

I am still having this issue

The specific bug I mentioned below (r. 32585574) has not been fixed.

Is this planned any soon ?

I can’t predict the future (but given that it’s been 3 years already… )-:

I'm not able to recreate a certificate...

Does that mean that you’ve confirmed that a missing Common Name is the problem?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"