I tried to generate my own CA with TLS Server Certificates. In Firefox I also do not have problems and the certificate is accepted after import of the root certificate. But after importing the root certificate to IOS and opening the site I get the message "connection not provate"
I set down the validation time, added req_cert_extensions and v3_req parts, added an intermediate CA, took attention to cipher algorithm and key length but I dont get what problem IOS has with my certificates.
THe public cert of the root is added as trusted in IOS via profiles. Because it is not working I even added the intermediate and the cert itself as trusted profile. I also tried to add the whole chain as an IOS profile.
Here is the server certificate
[tsu@localhost knas]$ openssl x509 -noout -text -in 20201109_knas_crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0e:bc:6e:2f:a4:b8:9d:80:1b:96:e7:45:54:2d:4d:6a:99:00:0f:7b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = Saarland, O = Thomas Sulz private, OU = intermediate, CN = intermediate.wodarz.name, emailAddress = thomas@tsulz.de
Validity
Not Before: Nov 9 20:04:41 2020 GMT
Not After : Sep 5 20:04:41 2021 GMT
Subject: C = DE, ST = Saarland, L = Saarbruecken, O = Thomas Sulz private, OU = knas, CN = knas.spdns.org, emailAddress = thomas@tsulz.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:ea:40:50:bd:f3:5f:f5:1d:66:8b:c1:01:a0:cd:
...
ce:a0:be:8b:77:88:96:e0:0a:d1:8e:7d:58:c4:8b:
55:0f:b7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
CE:1D:6A:CE:4C:B5:F9:DF:ED:1B:57:EF:FF:2D:3D:8C:C2:83:B3:46
X509v3 Authority Key Identifier:
keyid:5C:E8:02:D9:44:27:66:20:E2:61:B6:D5:47:46:6B:15:A7:6D:70:C1
DirName:/C=DE/ST=Saarland/L=Saarbruecken/O=Thomas Sulz private/OU=root/CN=root.thsulz.de/emailAddress=thomas@tsulz.de
serial:01
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:knas.spdns.org, DNS:tsulz81.synology.me, IP Address:192.168.1.20, IP Address:192.168.1.21
Signature Algorithm: sha256WithRSAEncryption
0e:c4:ba:de:22:1c:4a:13:e7:5c:7f:f2:4b:d1:ff:63:41:7f:
...
3e:ac:a0:4f:61:7b:b5:2d
here the intermediate certificate:
[tsu@localhost intermediate]$ openssl x509 -noout -text -in 20201109_tsulz_intermediate_crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = Saarland, L = Saarbruecken, O = Thomas Sulz private, OU = root, CN = root.tsulz.de, emailAddress = thomas@tsulz.de
Validity
Not Before: Nov 9 19:30:32 2020 GMT
Not After : Nov 7 19:30:32 2030 GMT
Subject: C = DE, ST = Saarland, O = Thomas Sulz private, OU = intermediate, CN = intermediate.tsulz.de, emailAddress = thomas@tsulz.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:d7:20:3b:a5:06:df:16:ce:8f:d7:a9:b6:07:5a:
83:36:3d:87:74:30:b7:80:1e:b1:46:4f:08:cf:c8:
09:30:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
5C:E8:02:D9:44:27:66:20:E2:61:B6:D5:47:46:6B:15:A7:6D:70:C1
X509v3 Authority Key Identifier:
keyid:5E:DE:69:96:9A:33:AC:3D:13:55:4E:FD:5B:AD:30:A8:7D:06:94:94
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
05:58:75:ce:40:6f:86:37:de:e1:b7:f1:5d:2d:17:82:c7:e8:
1a:8e:52:01:6c:b5:91:c7
