Adding Trusted Root Certificate Authorities to iOS (iPad, iPhone)

As manager of a web administration team, we’ve encountered several teams who have had trouble adding internal Certificate Authorities to iPads and iPhones…  and I don’t blame them, it’s not obvious.

To add private CA certs to your iPhone or iPad, you will need:

  • The iPhone Configuration Utility (windows or mac)
  • Your iPhone or iPad physically connected via cable to said windows or mac machine.  It’s tempting to try to add the resulting .mobileconfig by downloading it wirelessly over a browser, but it will not be trusted.
  • The cert file(s)

Once the above requirements are met, do the following:

  1. Start the iPhone Configuration Utility.
  2. Under “Library”, select “Configuration Profiles”
  3. Click the Add New button on the top left.
  4. Fill out the mandatory general information tab contents
  5. Under the Credentials section, add the CA cert or certs.
  6. Attach your iOS device if it is not already connected.
  7. Select your device in the iPhone Configuration Utility, and select its Configuration Profiles tab.
  8. You should see the profile you just created with an “install” button on the right – click it.
  9. On your device, you will see a profile installation dialog – hit the install button and follow directions.

That’s all, the CA profile should be installed and verified with a geen check.   I hope this helps some of you out there.

This process can also be used to install client SSL certs on the iPad.

Share and Enjoy:
  • Print
  • Facebook
  • Twitter
  • PDF

16 Replies to “Adding Trusted Root Certificate Authorities to iOS (iPad, iPhone)”

  1. Unfortunately, although the profile installs correctly, the custom CAs are still not trusted on IOS 6.0.1. Are we missing something?

  2. I’m not sure what’s different from what I did a year ago – my CAs were trusted. On my iPad (still vers 5, as I have an iPad 1) under Settings / General / Profiles I can see the installed certs. Selecting my self-signed CA, I see a green checkmark with “Verified” by it. It’s interesting to note that it reports being signed by “iPhone Configuration Utility”, though it still has itself as the issuer when I view More Details.

  3. My iPhone 4 (iOS 5) also marks it as verified. My iPad (iOS 6.0.1) with exactly the same profile, marks the self-signed CA certificate as “not trusted” and fails https sites under safari and s/mime signed mails. I must say that these certificates are all under a custom self-signed CA, which is not pre-installed in iOS 6.0.1. However, I was able to install it and “trust” it with iOS 5. This feature seems to be gone with iOS 6. Does anyone know of any work-around?
    Thanks for everything.

  4. Following the procedure described you will take care your own certificate authority is trusted. After that you can install your own certificates via p12 files.
    I needed this for a VPN connection which now works

  5. I think I figured it out. IOS 6 does not trust any Root CA that is based on MD5 hashing. It works with SHA1 Roots. This seems pretty strict for ROOT CAs because collision attacks were meaningful only for sub CAs.

  6. Thanks for the hint Dimitris!

    Have been struggling with a similar problem for weeks.
    At first I had trouble with the root cert, but with extensive trial and error, I managed to get that accepted (now I understand that I changed to sha1 at some time).
    But I didn’t get iOS to accept the certificates signed by the root, until I saw this. Those certificates had md5 as signature algorithm, so after a quick change in the configuration, it all started working.

    So, all the certificates in the chain needs to use sha1, if any of them is signed using md5, iOS 6 seems to reject them.

  7. HI,

    I am trying to install the certificates , i have created a certificate and successfully added to DS store, When i go through credential from iphone configuration utility i cannot see the certificate i just stored into DS,
    My certificate name was saththiyan-ipad.cer

    Via the Certificate MMC snap-in (personal certificates), requested a mobile device certificate.
    Subject name: (Common name) devel1-ipad.domain.com
    Alternative name: (DNS) devel1-ipad.domain.com
    Friendly name: Development Team iPad 1 (match the description in the Active Directory computer object you created)
    The certificate should successfully create and return signed by the Issuing CA.
    Export the certificate (no private key) as DER encoded binary X.509 (.CER) by right-clicking on the certificate in the snap-in.
    As an administrator (i.e. a user with Active Directory object modification rights), publish the exported certificate (file) to Active Directory:
    > certutil -v -f -dspublish “devel1-ipad.cer” Machine

    and every thing was success. so now how can i import this certificate to iPhone configuration utility????

Leave a Reply

Your email address will not be published. Required fields are marked *