Solved Automatically generated self signed wildcard certificate doesn't appear to be able to be trusted by ios 13 or greater

ChristopherMag

I have saved and then followed these steps for installing a certificate once it has been sent to a iOS 13.7 iPhone (in my case I used iCloud storage and the Files app to get the certificate onto the device.

After these steps have been completed you should be able enable trust for this certificate like this.

I have also used the iMazing profile editor to create a profile with the auto generated self signed wildcard certificate in case that made a difference.

In all cases the certificate doesn't show up under the "Enable full trust for root certificates" heading on the Settings > General > About > Certificate Trust Settings screen.

Apple published new requirements for certificates that can be trusted in iOS 13 and above.

All of the first set of requirements appear to be met but the last section's bullets appear to be where the problems are:

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

• TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
• TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

At present it appears that it is not possible for an updated iOS device to trust the automatically generated self signed certificate created by Cloudron.

This blog article provides steps that work, part of the issue being the requirement to have a separate CA cert that is then used to generate the TLS Web Server Authentication cert that ultimately is used for the tls connections.

Beyond that it also appears that the 10 year life time on the certificate would have to be reduced to 825 days or less (~2.26 years).

d19dotca

@ChristopherMag That lifespan is the gotcha. Cloudron will need to update the self-signed generated certs I suppose to be no longer than about 2 years.

girish

@ChristopherMag Thanks for the detailed analysis. Good to know! I will reduce the timespan to 2 years.

girish

Before I make this change, I have a question. Are you using the Cloudron generated self-signed certificate for all the apps or was this just the initial setup wizard.

For using certs for apps, it's best to create and set a certificate yourself from Domains -> Advanced. See this - https://docs.cloudron.io/certificates/#custom-certificates . You can also create your own CA as iOS requires and provide Cloudron the full cert file with the intermediate certs attached.

For the initial setup wizard, I have lowered the validity of certs - https://git.cloudron.io/cloudron/box/-/commit/0064ac5ead2740e2f597f53e26db0f2b3307ad29

ChristopherMag

@girish Sorry for the late reply, I the default forum settings were to send me email notifications once a week, I have changed that to daily.

I was trying to use the self-signed certificate for all apps.

I have gone ahead and followed the steps in the blog article I linked to and was able to upload the full CA and web server cert chain to Cloudron and after getting the root certificate authority into all the devices accessing Cloudron everything is working well from Windows and iOS based devices.

It looks like Apple is going to be decreasing the certificate lifetime further down to 398 days so you may want to lower the lifetime down to a year to get ahead of that change.