4

I have created a CA, server and client certificates with OpenSSL for my application. When I look under profiles, the root CA shows up as "Trusted", but my server and client certificates (which are signed by my CA) show up as "Not Trusted".

These certificates show up as being signed by the root CA, and work correctly under IE or Chrome.

  1. Why don't these work?
  2. Any way to debug why they show up as "not trusted"?
Brad
  • 11,262
  • 8
  • 55
  • 74
  • How did you add your CA to the list of trusted CAs on your iOS device? How would you expect a user to add your CA? – Jeffery Thomas Sep 08 '12 at 22:59
  • I just clicked on the .CRT file from a web browser. (Or email message? I've done it both ways). Not worrying about how to deploy in actual real-world - just trying to getting the certs working right now! – Brad Sep 09 '12 at 01:20
  • Let me get something clear… You are setting up either a web application targeted for iOS, or your iOS app is using a web service which is communicating via HTTPS. – Jeffery Thomas Sep 09 '12 at 02:49
  • Right now I am doing it as a Web App. I am communicating via https, but just trying to get the initial credentials/certificates to work, because I want to do (client-side) certificate-based authentication (ssl/https). – Brad Sep 10 '12 at 13:02

2 Answers2

3

I am speculating that it occurred because I was only using a small (512 or 1024) byte certificate. When I used a newer version of OpenSSL to create a 2048-byte certificate, it started working.

I still have to verify if there is indeed a minimum-acceptable key length in iOS.

Brad
  • 11,262
  • 8
  • 55
  • 74
  • 1
    P.S. Some dude told me this in email. I can't coo-berate, but am passing it on: "I found the problem. It has something to do with using different hash functions (md5 vs sha1) in the signing root certificate and the issued client certificate. Apple doesn't like it. But just Apple, because in Windows the certificate was accepted as trusted." – Brad Mar 19 '13 at 17:03
  • 1
    Importiant thing to note - it's not only YOUR certificate that needs to be signed with SHA-1, but any signers (i.e. Root CA) certificates. Behavior is weird. It will install a CA certificate with an MD5 hash and show it as "trusted". However, if you then install a client certificate that *is* SHA-1, but was SIGNED with a certificate which itself was MD-5, your CLIENT certificate will be "untrusted". i.e. Your client certificate was FINE, but was untrusted because the signer (root CA) was MD-5, even thought it is "trusted". – Brad Aug 23 '13 at 01:40
  • I found that removing the `email` specification from my CA’s `subjectAltName` caused iOS to suddenly be able to trust it. – binki Apr 22 '14 at 22:04
0

The iPhone Configuration Utility allows you to install and manage all kinds of configuration settings, including root certificate authorities.

It should give you the ability to see what CAs you have on your device, add new ones, and remove any that are causing your problems.

Jeffery Thomas
  • 42,202
  • 8
  • 92
  • 117
  • Awesome - I will check it out! Though I'm skeptical it will tell my *why* they're not correct... – Brad Sep 10 '12 at 19:01