ios trust certificate safari

How To Trust Certificate on iPhone

iPhones come with Trust Stores that contain trusted root certificates pre-installed on your device. However, there are several reasons why you will want to use custom certificates. Due to their low cost, custom certificates are usually the preferred option for development and testing environments. They are also often suitable for internal (intranet) servers as they can be deployed easily and quickly. Now, the question is, how do you make an iPhone trust a custom certificate?

Generally, iPhones automatically trust root certificates signed by a trusted Certificate Authority (CA) . But in case of custom certificates that a CA does not sign, your iPhone may not trust it. The way around this is to email yourself the certificate or upload the root certificate to a website and then download it with Safari. Afterward, go to your iPhone Settings app to install and enable trust for the certificate. 

Provided the certificate has the CA Basic Constraint extension , Apple will allow you to trust the certificate manually. This article will explain the step-by-step process to fix trust certificate issues on the iPhone.

Step #3: Enable Trust

• Frequently Asked Question 

How Do I Make My iPhone Trust a Custom Certificate? 

Installing a self-signed or custom certificate is different for different versions of iOS devices. But for the sake of this guide, we will be using iOS 10.3 and later . Before now, to make an iPhone trust a custom certificate was easy since all you had to do was send the file to your iPhone, and it will automatically trust it. 

Now, that’s no longer the case. Even after installing the certificate, your iPhone wouldn’t trust it. The steps below explain how to make your iPhone trust a self-signed certificate.

Step #1: Get the File on Your iPhone 

Export the certificate or profile to your iPhone by emailing the certificate to yourself, uploading it to a website, then downloading it with Safari, among others. When you get the certificate on your device, download it. If successful, you will get a prompt that a profile has been successfully downloaded, of which you can then click on the close button. 

Step #2: Install the Certificate 

To install the certificate, go to the Settings app on your iPhone, and on top of the settings menu, you will see the option “Profile Downloaded ” below the Apple ID row. Tap on it to display the “Install Profile ” menu. 

At the top-right corner of your screen, tap “Install “. If your iPhone has a passcode set, you will be prompted to enter it to proceed. Enter your password and tap “Install ” again. Once installation is successful, tap on “Done “. 

After installing a self-signed certificate, it wouldn’t be automatically verified. To enable trust for the certificate, open the Settings app again and navigate your way to the “General “. So on the profile menu, you’d see the message “Not Verified “. 

Under “General”, tap on “About ” and then tap on “Certificate Trust Settings “. Under “Certificate Trust Settings”, you’d see the profile you just installed, and you can toggle it on to enable full trust for the profile.

iPhone users using iOS 10.3 and older versions that want to install custom certificates must go to the settings menu to  allow the certificates’ trust manually . Also, you can only use SSL between two endpoints if the custom certificate matches one of the pre-installed root certificates on your iPhone.

Conclusion 

Enabling your iPhone to trust custom certificates is easy, but use it cautiously. Not all certificates are trustworthy. Giving trust permission to a profile you don’t know could expose you to security issues. So, if you don’t know much about the profile, it is better not to enable trust than to enable trust and be exposed to security breaches.

Frequently Asked Question 

Enabling trust for profiles on iPhone is necessary when you are conjuring SSL filtering for the first time. Sometimes, you may need to enable trust for certificates or profiles when the certificate has expired or is being reissued. Similarly, when installing profiles manually, you will need to enable trust for it. 

Yes, enabling trust to certificates of unknown sources can be used maliciously. Installing a new certificate on your iPhone has always been a known vulnerability ; enabling trust for only the certificate you trust is essential. And if at any point you no longer trust any certificate, you can always delete it from settings.   

You may get this error because you are using a certificate from a CA that is not on your device’s approved list of certificates . To fix this, go to your email server, navigate your email account to advanced settings, and then find the option to accept all certificates and enable it. 

Related Posts

How To Turn On Wireless Charging on iPhone

How To Send a Song in a Text Message on Android

How To Reset Philips TV

How To Change the IMEI Number on iPhone

How To Clear the Keyboard History on Samsung Phones

How To Play Xbox 360 on Laptop With HDMI Cable

About the author, jacob hicks, leave a comment cancel reply.

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Jacob has been writing for DeviceTests since 2021. He enjoys testing new hardware and software, and sharing his findings with the world.

How To Change Video Source on Laptop

How To Select All Photos on an iPad

How To Whiten Teeth on iPhone

The ICT Guy

EduTech server engineer blogging about everything IT related

• Editors Picks

Easy Step-by-Step guide to Adding Trusted Root Certificates to iOS14

Adding Trusted Root Certificates to iOS14 is slightly different to earlier versions so here is a quick guide on how to add a trusted root certificate for web filtering etc to Apples latest iOS . When downloading the certificate you can do this from either the vendors website that hosts the certificate or via E-Mail etc the process is the same once you have the certificate downloaded to the device.

Having issues with iOS 14 not installing check out this guide on how to remove a stuck update.

Installing the Trusted Root Certificate

• Download the certificate from either the vendors website, your internal filtering system or wherever you have the certificate stored.
• Click Open with
• Click Save to files
• Select On my phone
• Click Settings
• Click Profile downloaded
• Click Install
• Click Install on the warning
• Enter your pass code if one if setup on the device
• Click General
• Click About
• Click Certificate trust settings
• Turn on the installed certificate so it is a trusted root certificate
• Click continue when prompted

Adding Trusted Root Certificates to iOS14

Setting your mac to not be private/dynamic if you use a filtering system that uses mac authentication, found priceless insights in this blog support the author’s creativity – buy them a coffee, how to setup and use the apple ios back tap feature, how to remove an ios update if it fails to verify.

• Featured Posts

Easy Step-by-Step guide to Adding Trusted Root Certificates to iOS15

2 thoughts on “ easy step-by-step guide to adding trusted root certificates to ios14 ”.

How do i get a profile download to install ????

Once downloaded you need to go to settings to install the profile.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

You may have missed

Setup.exe by patchbox review, ruckus auto voice vlan config.

• Vulnerabilities

Email Security Analysis: A PowerShell Approach to Identifying MFA-Enabled Domains

• Connect the Classroom

Convert ruckus unleashed to cloud in simple easy to follow steps

• Veeam Backup and Replication

FIXED: Sophos System Protection Service (SSPService.exe) has high RAM Usage when using Splashtop

You can make a difference in the Apple Support Community!

When you  sign up with your Apple ID , you can provide valuable feedback to other community members by  upvoting helpful replies and User Tips .

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Enabling self-signed certificates in iOS 15

How do I enable trusting self signed certificates in iOS 15.2.1? I am trying access a CalDAV account on a personal Synology server.

Posted on Feb 14, 2022 6:05 PM

Posted on Feb 24, 2022 5:35 PM

This is a real pain because apple has intentionally made it a pain. No other product makes it as difficult as they do.

You have to download the certificate itself, just the raw pem file, either via a browser or some other method. Via a browser is the easiest way. If you're self-signing certs, you should be able to set up a little home webserver and literally put the cert in the root of that and then just hit it via safari on your phone. Once that happens, it will be downloaded into the profiles. Open settings and use the search at the top to look for profiles. Open profiles and "install" the profile for your self-signed cert. Then go to settings->general->about->certificate trust settings (all the way at the bottom) and flip the toggle to trust all roots for that profile.

Similar questions

• how can i setup my trusted certificate settings to my phone how can i setup my trusted certificate settings to my phone 730 1
• Cannot trust self signed certificate on iOS 15.2 Hello, I am trying to install and trust a self signed root CA certificate on my device to access services hosted on my internal network. Importing and installing the certificate went well. I however do not have the option available to fully trust the certificate. I have the exact same issue than this one : https://discussions.apple.com/thread/253175842 No answer has been provided to this post, other than to switch the toggle on, but this toggle is not displayed at all. Are there any specific requirements to meet for imported certificate to show in this list? I tested different key length (2048, 4096), validity (10 years, 1 year) and signing protocol (sha256, sha512), with no luck. Update from iOS 15.1 to 15.2 does not fix the issue either. I have not been able to find any help on the Internet so far, apart from this article that does not help in this case, the toggle not showing up at all : https://support.apple.com/en-us/HT204477. Thanks a lot for your help. 1872 1
• Cannot trust self signed certificate on iOS 15.1 Hello, I am trying to install and trust a self signed root CA certificate on my device to access services hosted on my internal network. Importing and installing the certificate went well. I however do not have the option available to fully trust the certificate. I have the exact same issue than this one : https://discussions.apple.com/thread/253175842 No answer has been provided to this post, other than to switch the toggle on, but this toggle is not displayed at all. Are there any specific requirements to meet for imported certificate to show in this list? I tested different key length (2048, 4096), validity (10 years, 1 year) and signing protocol (sha256, sha512), with no luck. I have not been able to find any help on the Internet so far, apart from this article that does not help in this case, the toggle not showing up at all : https://support.apple.com/en-us/HT204477. Thanks a lot for your help. 1112 1

Loading page content

Page content loaded

Feb 24, 2022 5:35 PM in response to Declanthedog

Feb 24, 2022 5:37 PM in response to libhart

libhart wrote:

Which is why no other products are as secure as Apple’s.

Feb 15, 2022 12:15 PM in response to Declanthedog

Hi Declanthedog,

Thanks for using Apple Support Communities. We understand you’re trying to trust a specific certificate. We’re happy to help.

We suggest taking a look at this article: Trust manually installed certificate profiles in iOS and iPadOS

Five Tips for Using Self Signed SSL Certificates with iOS

SSL certificates are relatively cheap to purchase , but sometimes it would be easier if you could create your own. You might need to setup SSL on development and test servers that have different host names or on systems that will only ever be accessed on your local network.

Self-signed SSL certificates allow you to quickly create certificates for free, without having to pay a Certificate Authority (CA) or comply with any auditing requirements.

The downside of using self-signed certificates is that browsers will not automatically trust sites that use them. In Mobile Safari you would see an error like this:

The HttpWatch iOS app provides some more detail:

The rest of this post provides tips on how to setup iOS to avoid these errors and how to simplify the creation and management of self signed certificates.

Tip #1 – Don’t Accept your Self-Signed Certificate in Mobile Safari

It’s tempting to just select Continue or Details->Accept when you first try using your self-signed certificate in Safari:

This would allow you to open the site in Safari, but there are two significant downsides:

• Accepting the certificate in Safari just adds an SSL exception that prevents Safari warning you about the site. It doesn’t install the certificate as a trusted certificate on iOS. Any other apps (e.g. Chrome, HttpWatch, etc…) on the device will still fail to connect to the site.
• Once the SSL exception is added there doesn’t seem to be a way to remove it in iOS 7. In previous versions going to Settings->Safari and selecting ‘Clear Cookies and Data’ would delete it. This no longer seems to work in iOS 7 (please leave a comment if you know how to do this).

Tip #2 – Install Self-Signed Certificates as an iOS Configuration Profile

You can add an SSL certificate to the trusted list in iOS by simply emailing the file to yourself as an attachment:

Then select Install to add the certificate. Once you’ve done this you use the certificate without warnings in Safari or other iOS apps that use the device’s keychain..

Also unlike Safari SSL exceptions, you can access the certificate at any time in Settings->General->Profiles and remove it if required:

Apple provides an iPhone configuration utility for Mac and PC that can also install certificates. This would be a better option where email is not available or you have a larger number of iOS devices to manage.

Tip #3 – Don’t create Self-Signed Certificates within IIS

Creating self-signed certificates in IIS appears to be easy. You just select the ‘Create Self-Signed Certificate’ menu item:

Unfortunately, IIS uses the computer name as the host name in the certificate:

It most cases the computer name will not match the intended host name and you end up with a self-signed certificate that is never trusted – even when it is added to iOS:

It’s possible to fix this problem by installing and running the SelfSSL tool from the IIS 6 Toolkit. However, it’s probably easier just to use OpenSSL as described in the next tip.

Tip #4 – Creating Self-Signed Certificates with OpenSSL is Easy

One of the easiest ways of creating a self-signed certificate is to use the OpenSSL command line tool that is available on most platforms and installed by default on Mac OSX.

First create a private key file:

Then create the self signed certificate:

You can use any filenames you like for the key and certificate (.cer) files. The /CN parameter needs to be set to the required hostname (e.g. for https://www.mysite.com in the example above). The days parameter specifies the expiration date as days from today’s date.

There’s even a site to do this if you don’t feel like downloading OpenSSL, but of course it’s more secure to do it yourself.

On Apache servers the key and certificate file can be used directly in your SSL configuration. With IIS you need a PFX file so that you can import the certificate into the Server Certificates section of IIS. OpenSSL can create the PFX file for you as well:

Tip # 5: Consider Creating Your Own Certificate Authority (CA)

One problem with self-signed certificates is that you’ll need to set up trust relationships for each certificate on each device. An alternative is to create your own Certificate Authority (CA) root certificate and then create certificates based on it.

Instead of paying a commercial CA to create SSL certificates on your behalf, you are acting as your own CA. The advantage is that your custom CA certificate only has to be installed once on each device. The devices will then automatically trust any certificates you issue based on your root CA certificate.

Creating the CA certificate is a simple two step process. First create a private key file as before:

Then create the certificate:

The certificate file (myCA.cer) created above can be publicly shared and installed on iOS or other OS’s to act like a built in trusted root CA. Custom CA certificates on iOS are also stored in General->Settings->Profile:

The private key file (myCA.key) is only used when creating new SSL certificates.

You can create as many certificates as you like based on this CA certificate. There’s an extra step involved because you have to create a CSR (Client Signing Request) as if you were purchasing a commercial SSL certificate.

First you would create a private key:

and then create the CSR:

Then use the CSR to create the certificate:

The certificate created (mycert.cer) can be installed on a web server and accessed from any iOS device that already has the CA certificate installed.

UPDATED September 24th, 2015 – The OpenSSL certificate creation commands now include the -sha256 flag to avoid browser warnings about the use of  SHA1. This tip was provided in a comment by Giancarlo Gomez – Thanks

Tags: IIS , iOS , OpenSSL , SSL

• 13 Comments
• Post a Comment

Got Something to Say?

Your email address will not be published. Required fields are marked *

Ready to get started? TRY FOR FREE Buy Now

View in English

• About your developer account Get started
• Sign in to your developer account Get started
• Account overview Get started
• Enterprise Program API Get started
• Invite team members Manage your team
• Automatic Signing Controls Manage your team
• Roles and access Manage your team
• Change team member roles Manage your team
• Delete team members Manage your team
• Leave a team Manage your team
• Transfer the Account Holder role Manage your team
• Locate your Team ID Manage your team
• Requesting access to an MDM Vendor CSR signing certificate Manage your team
• Update your account information Manage your team
• Certificates overview Create certificates
• Cloud-managed certificates Create certificates
• Create Developer ID certificates Create certificates
• Create enterprise distribution certificates Create certificates
• Create app license delivery certificates Create certificates
• Create WatchKit services certificates Create certificates
• Create VoIP services certificates Create certificates
• Create a certificate signing request Create certificates
• Revoke a certificate Create certificates
• Create a private key to access a service Manage keys
• Get a key identifier Manage keys
• Revoke, edit, and download keys Manage keys
• Register an App ID Manage identifiers
• Register an App ID for App Clips Manage identifiers
• Register a Services ID Manage identifiers
• Enable app services Manage identifiers
• Enable app capabilities Manage identifiers
• Delete an App ID Manage identifiers
• Register an app group Manage identifiers
• Create an iCloud container Manage identifiers
• Configure Apple Pay Configure capabilities
• Configure Apple Pay on the web Configure capabilities
• Create a DeviceCheck private key Configure capabilities
• Create a ClassKit Catalog key Configure capabilities
• Create a Maps identifier and private key Configure capabilities
• Create a media identifier and private key Configure capabilities
• Communicate with APNs using authentication tokens Configure capabilities
• Communicate with APNs using a TLS certificate Configure capabilities
• Send push notifications from your web server Configure capabilities
• About Sign in with Apple Configure capabilities
• Enabling server-to-server notifications Configure capabilities
• Group apps for Sign in with Apple Configure capabilities
• Create a Sign in with Apple private key Configure capabilities
• Configure Sign in with Apple for the web Configure capabilities
• Configure private email relay service Configure capabilities
• Create Wallet identifiers and certificates Configure capabilities
• Create a Mac version of an iPad app Configure capabilities
• Create a services identifier and private key for WeatherKit Configure capabilities
• Create order type identifiers and certificates Configure capabilities
• ShazamKit Configure app services
• MusicKit Configure app services
• WeatherKit Configure app services
• Account and organizational data sharing Manage service configurations
• Apple Music Feed Manage service configurations
• Configure the Apps and Books for Organizations API Manage service configurations
• iWork Document Exporting Manage service configurations
• Maps tokens Manage service configurations
• Devices overview Register devices
• Register a single device Register devices
• Register multiple devices Register devices
• Disable or enable a device Register devices
• Removing devices for membership expiration Register devices
• Provisioning profile updates Manage provisioning profiles
• Create a development provisioning profile Manage provisioning profiles
• Create an ad hoc provisioning profile (iOS, tvOS, watchOS) Manage provisioning profiles
• Create an App Store Connect provisioning profile Manage provisioning profiles
• Create a DriverKit development provisioning profile Manage provisioning profiles
• Edit, download, or delete provisioning profiles Manage provisioning profiles
• Certificate types Reference
• WWDR intermediate certificates Reference
• Revoking privileges Reference
• Supported capabilities (iOS) Reference
• Supported capabilities (macOS) Reference
• Supported capabilities (tvOS) Reference
• Supported capabilities (visionOS) Reference
• Supported capabilities (watchOS) Reference
• Provisioning with capabilities Reference
• Capability and entitlement updates Reference
• Device registration updates Reference
• No results If you have any questions about membership, your account, or App Store Connect, please review developer support.

Account Help

Support / Developer Account / Create certificates / Create Developer ID certificates

Create Developer ID certificates

You can create up to five Developer ID Application certificates and up to five Developer ID Installer certificates using either your developer account or Xcode. To create a Developer ID certificate in Xcode, visit “ Manage signing certificates ” in Xcode Help.

Required role: Account Holder.

Cloud-managed certificates are also available to admins with the cloud-managed Developer ID certificate access role.

In Certificates, Identifiers & Profiles , click Certificates in the sidebar.

On the top left, click the add button (+).

Under Software, select Developer ID, then click Continue.

Developer ID Application: A certificate used to sign a Mac app.

Developer ID Installer: A certificate used to sign a Mac Installer Package, containing your signed app.

Follow the instructions to create a certificate signing request .

Click Choose File.

In the dialog that appears, select the certificate request file (a file with a .certSigningRequest file extension), then click Choose.

Click Continue.

Click Download.

The certificate file (a file with a .cer file extension) appears in your Downloads folder.

To install the certificate in your keychain, double-click the downloaded certificate file. The certificate appears in the My Certificates category in Keychain Access.

Requirements for trusted certificates in iOS 13 and macOS 10.15

Learn about new security requirements for TLS server certificates in iOS 13 and macOS 10.15.

All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.

TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.

TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.