IOS 14 - Self signed certificate - not trustable

Question

I create a self signed certificate by using this

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout myKey.key \
    -new \
    -out myCert.crt \
    -subj /CN=my.domaine.any \
    -config ./myConfig.cnf \
    -reqexts SAN \
    -extensions SAN \
    -sha256 \
    -days 365

the content of myConfig is

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
req_extensions      = SAN
extensions          = SAN
[ req_distinguished_name ]
countryName         = myCountry
stateOrProvinceName = myProvince
localityName        = myCity
organizationName    = myOrgan
[SAN]
subjectAltName      = DNS:my.domaine.any
extendedKeyUsage    = serverAuth

I check the IOS certificate requirement that I find here https://support.apple.com/en-us/HT210176 (I hope, I have everything).

I ame able to install the certificate into Setting > General > Profile.

But I can't trust my certificate because when I'm going to Setting > General > About > Certificate Trust Settings, I didn't see any certificate.

Any clue ?

You can use let’s encrypt to have free but trusted certificates instead of the untrusted self signed ones — Lelio Faieta, Aug 27 '20 at 08:51

score 5 · Answer 1 · answered Aug 27 '20 at 08:49

5

I found what's was missing into my configuration.

should add in [SAN] part

basicConstraints=CA:TRUE,pathlen:0

and it work !

answered Aug 27 '20 at 08:49

bosure

81
1
4

score 0 · Answer 2 · answered Dec 20 '21 at 19:09

Make sure when you send the certificate to your phone you don't also export the private key. Safari won't trust and it won't appear under the Certificate Trust Settings.

I'm using Powershell on Windows and was using the command Export-PFXCertificate which includes the private key. Instead using the command Export-Certificate worked.

IOS 14 - Self signed certificate - not trustable

2 Answers2