Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
680 views
in Technique[技术] by (71.8m points)

ssl - How to install self-signed certificates in iOS 11

I've been using self-signed certificates in the intranet of my small office and after upgrading to iOS 11, the certificates does not work for me. (Chrome and other browsers are happy with them.)

I've got my self-signed root ca file and converted it to .der file, and installed it onto my iPad via web.

ipad with cert

But unlike this Answer, I can't see my root ca certificate on the Settings > General > About > Certificate Trust settings.

no cert??

Is there any limitations for the certificates to be trusted in iOS? Both my iPhone and iPad has this problem. Is there anything wrong in my procedure?

I used these codes to make my ca certificate.

openssl genrsa -des3 -out rootCA.key 4096

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

openssl x509 -in rootCA.crt -out cert.der -outform DER
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

If you are not seeing the certificate under General->About->Certificate Trust Settings, then you probably do not have the ROOT CA installed. Very important -- needs to be a ROOT CA, not an intermediary CA.

This is very easy to determine by using openssl:

$ openssl s_client -showcerts -connect myserver.com:443 </dev/null

This will show you output for certificates in the cert chain, something like this:

    Certificate chain
     0 s:/C=US/ST=California/L=SAN FRANCISCO/O=mycompany.com, inc./OU=InfraSec/CN=myserver.com
       i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal CA 1A
    -----BEGIN CERTIFICATE-----
    ....encoded cert in PEM format....
    -----END CERTIFICATE-----

And it should show a chain of certs all the way to the ROOT CA. Keep following the output, paying attention to the "i:" value which indicates the ISSUER. Finally, you should get to the ROOT CA and can just copy-paste it to a .pem file (be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines!). Now you will be able to install it on your simulator by dragging-dropping onto simulator window.

If your ROOT CA is not listed, then find the top level in the output, then export it from Keychain Access.app. This assumes you are able to hit the website via Safari/Chrome, so you will have had to manually trust the website first.

My 'openssl s_client' output ended with the last cert shown with an issuer like this:

i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal Root CA 1

I am able to hit the target website successfully via Safari/Chrome, so that means Keychain has it stored and trusts it. So, I just launched Keychain Access.app via Spotlight and typed "mycompany" in the search bar. It showed my certificate (Kind=certificate) for "mycompany.com Internal Root CA 1". I just right clicked and selected "Export" and saved it to a .cer file.

Voila! Now I can drag-n-drop it onto my simulator and the ROOT CA will show up under General->About... and I can enable it.

If, for some reason you need to convert PEM file to DER/CER, just use this command:

$ openssl x509 -in myfile.pem -out myfile.der -outform DER

Hope this helps, I've had to do this dozens of times and figured it's about time I jot down some notes so I don't keep forgetting.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...