Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3

Apple Tweaked Trust Settings for Profiles, Here’s How to Trust Manually Installed Root Certificates in iOS 10.3.

Apple has introduced a change to how root certificates manually installed via profiles are trusted, requiring an additional explicit action.

Users on iOS 10.3 (and later) who install custom profiles will need to dive into the settings menu to manually turn on trust for any included root certificates. Because it’s rather easy to install a profile, this is an important security measure that makes it slightly harder for a user to inadvertently trust a new root which could then issue device-trusted certificates for any website or service.

Roots installed with Apple Configurator or Mobile Device Management (dedicated tools for enterprise deployment) will still be automatically trusted.

trust manually installed root certificates in iOS

The Security Risk of Profiles

Profiles are configuration files which make it easy to deploy custom settings to an iPhone or iPad. These profiles can contain information needed to access a network or configure email accounts.

Corporations and universities use profiles to easily deploy the settings needed to get a new device onto their network. Consumer-facing services like Xfinity Wifi and Manhattan’s LinkNYC use profiles to allow users to get on their public wifi.

trust manually installed root certificates in iOSBut many users may not realize how powerful profiles can be. Many profiles, such as this one used by Comcast’s Xfinity Wifi, contain root certificates which can be used to establish secure connections.

Trusting a malicious root is one of those nuclear-level “game over” scenarios. In fact, Chromium (the open-source project Google’s Chrome is based on) acknowledges that if an attacker can install a root onto your device, there is nothing the browser can do to protect you.

On Windows and OSX, that is a reasonable. Trusting a root on Windows, for instance, takes quite a few steps including downloading the root, opening the file on your computer, and then going through an import wizard.

On iOS, it is a different story. In Safari, just clicking a button on a webpage can prompt a system dialog to install a custom “profile” which can include root certificates for your device to trust. While this still requires explicit user action, the simplicity of iOS makes it much easier for a user to naively follow this process thinking its the normal or proper thing to do.

This could be used maliciously. After a user installs a profile, the new certificates could be used in a man-in-the-middle attack. This has always been a known vulnerability, but has not been of major concern because while feasible, it’s impractical in most attack scenarios.

While this was not a serious security risk, it’s still good to see Apple adding one more level of ‘are you sure’ checks before allowing a root certificate to run wild.

How Do You Trust Manually Installed Root Certificates in iOS?

If your users are on iOS 10.3, they will need to follow the following steps to trust a certificate included in a profile

  1. Ensure they have installed the profile on their device.
  2. Open Settings.
  3. Navigate to General and then About.
  4. Select Certificate Trust Settings.
  5. Each root that has been installed via a profile will be listed below the heading Enable Full Trust For Root Certificates. Users can toggle on/off trust for each root.

If you are dealing with a large number of organization-controlled devices, you may want to consider using Apple Configurator or Mobile Device Management. Both of these tools are geared towards enterprise, and will automatically trust any included certificates.

Re-Hashed is a regular feature on Hashed Out where we feature an older article that some of our newer readers may not have had an opportunity to read yet. We also take a few minutes to update it as needed. We hope you enjoy, and thanks for reading!

  • I really appreciate that I came across this posting. Thank you for explaining how to deal with a problem that I have been chasing for over four days. My devices are running iOS 10.3.2.

    At our college, we have a non-Internet server available only on our internal LAN. We use that server to process screen recordings using an app on iOS. I have several devices, so used Apple Configurator2 to install a profile that contains the (self-created by internal CA) root certificate for that server. The server is a Windows box running IIS7, and I have installed a certificate signed by that CA/root certificate.

    There are two situations that differ from your posting above, though:
    1) The Apple Configurator 2 profile builder indicates that the root certificate is *not* trusted. I don’t see a method for indicating or setting that trust. The profile does allow the certificate to be applied to the devices, however.

    Once the profile is installed on the device, I can view that certificate from (Settings) General -> Profile -> [select profile] -> More details. There, I tap the certificate and can read its contents, confirming it is the root cert I intended.
    2) Following the steps above to manually trust the root cert, (Settings) General -> About -> Certificate Trust Settings, there I only see the current version of the trust store (2016102100). The certificate that my profile installed is *not* listed and, thereby, has no toggle to set the trust. There is a link to “Learn more about trusted certificates” — but that Apple site only shows the list of available trusted root certificates in iOS.

    So, even though this article seemed the most helpful, it has not solved my problem.

  • …continuing:
    I poked around a bit on the macbook where I run Configurator2. I had previously installed the root certificate into the “System” Keychain, but I noticed today that the cert indicated it wasn’t trusted. I was able to configure some trust settings there in the Keychain and save them. Then, when I looked at the profile in Configurator2, the cert was marked as trusted! Oh rapture! I reinstalled the profile on my device. There is still no indication of the cert at all under Settings/ General/ About/ Certificate Trust Settings.

    Unfortunately, the app I need to use doesn’t seem to know about the cert… or there are other issues yet to be discovered.

  • Ahhhhhhhh…breaking Citrix services again for clients. Thanks for nothing Apple!!! 10.3.2 is shot!

  • This info solved my issue. Thank you so much for posting this info. I thought installing the profile was the only thing I had to do. Cheers

    • What was the resolution to your issue as I am having the exact same problem. no certificates listed under Certificate Trust Settings

  • Even I am having the same certificate issue, which I cannot trust the certificate manually on iPad.
    Please suggest any solutions

  • Hello from Mobile Device world, I am trying to get the CA root certificate to trust on multiple devices. I am using a MDM to push the CA to the devices, but it still not trusting the certificate onto the devices. You can see the certs under the profile, but the certs are not installing so there is no way to trust the cert on the device

  • I’m irritated. I also see the *untrusted* profile in Profiles, but nothing to select from in trust settings. But some DO see profiles there and seem to be able to switch on trust.

    So my question is: What’s the difference? In wich way do those certs that don’t show up – or the device configs – differ? Does it only work on managed devices? Do only certain roots (no MD5?) work? Does one have to prepare a profile? With what tool? (The original Apple device config tool seemst to be no longer available.)

  • Same as Nursoda, I see my “Not Verified” profile in profiles, but it doesn’t show up under the certificate trust settings area. Also, If I remove all profiles, I still have an option left under certificate trust settings that can’t be turned off. Shouldn’t that disappear when I remove the profile? Or at least shouldn’t I be able to turn it off with the slider?

  • Its so simple your were a complete moron to waste your hard earned money on CRAPPLE they make fools of thier slaves. Go ahead shine your masters shoes you stupid moronic slave, you were dumb enough to buy apple now serve your sentence!

    • you are so so right John. no Wonder ehy they have lost so big to android. but i have some clients that have an iPhone or ipad and i really cant install this fuc..i.n..g certificate on them. on my Android it took me arround 30 sec. to install. JESUSSSSSS

  • I have gone through the same experience for the past 3 days‏, I have tried everything possible I’ve gone through web searches YouTube‘s you name it and I couldn’t configure the trust certificate or an able to change the number so therefore back up all your documents and your files delete, sign out from your Apple ID and destroy the device and get yourself a new one Device As we are not trying to reinvent the wheel go back to their old tricks think doesn’t work get rid of it don’t take risk absolutely zero risk, I was troubleshooting For days. I just put it in example if you have a toothache would you do with it you try to fix it if it doesn’t yank it out.

  • it’s the fucking apple world. i will sell everything i have from apple and never spend any penny on their products.

  • As most folk above, I can see the certificate profile, it’s not “verified”, but it’s not showing up to allow to to “trust”. IOS11 and IOS14 – any clues please

  • This worked but with some minor deifferent steps.
    1. Send root certificate file via mail
    2. Add in mail client the certificate
    3.Go to Settings->About->Profile
    4. Hit install certificate or something similar, cant remember. Profile option the disappears from menu.
    5. Go to Certificate Trust Settings. Voila. Trust certificate. Done
    IOS 12

  • Wow thanks for this valuable and informative blog guy’s i was looking for the same issue. I would like to appreciate the author as well for the informative blog.

  • Cash app phone number: get to service team quickly:

    The availability of the cash app phone number has made contacting the service team easier relatively. People using the cash app account may initiate to have words with them at once on the requirement. The usual problems however have created several obstacles for cash app users but the proven initiatives can help them to overwhelm the obstruction with no delays. The service team works efficiently and honestly.

  • There can be multiple reasons behind the cash app won’t let me send money these reasons are users do not have enough balance in their account, they may enter incorrect information, they are not using updated versions of the cash app, and many more reasons.

  • When someone shares valuable information on the web, it is our responsibility to appreciate the writers of those articles and blogs because these days valuable and informative information is rarely seen.

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *