Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 4.17 out of 5)
Loading...

Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3

Apple Tweaked Trust Settings for Profiles, Here’s How to Trust Manually Installed Root Certificates in iOS 10.3.

Apple has introduced a change to how root certificates manually installed via profiles are trusted, requiring an additional explicit action.

Users on iOS 10.3 (and later) who install custom profiles will need to dive into the settings menu to manually turn on trust for any included root certificates. Because it’s rather easy to install a profile, this is an important security measure that makes it slightly harder for a user to inadvertently trust a new root which could then issue device-trusted certificates for any website or service.

Roots installed with Apple Configurator or Mobile Device Management (dedicated tools for enterprise deployment) will still be automatically trusted.

trust manually installed root certificates in iOS

The Security Risk of Profiles

Profiles are configuration files which make it easy to deploy custom settings to an iPhone or iPad. These profiles can contain information needed to access a network or configure email accounts.

Corporations and universities use profiles to easily deploy the settings needed to get a new device onto their network. Consumer-facing services like Xfinity Wifi and Manhattan’s LinkNYC use profiles to allow users to get on their public wifi.

trust manually installed root certificates in iOSBut many users may not realize how powerful profiles can be. Many profiles, such as this one used by Comcast’s Xfinity Wifi, contain root certificates which can be used to establish secure connections.

Trusting a malicious root is one of those nuclear-level “game over” scenarios. In fact, Chromium (the open-source project Google’s Chrome is based on) acknowledges that if an attacker can install a root onto your device, there is nothing the browser can do to protect you.

On Windows and OSX, that is a reasonable. Trusting a root on Windows, for instance, takes quite a few steps including downloading the root, opening the file on your computer, and then going through an import wizard.

On iOS, it is a different story. In Safari, just clicking a button on a webpage can prompt a system dialog to install a custom “profile” which can include root certificates for your device to trust. While this still requires explicit user action, the simplicity of iOS makes it much easier for a user to naively follow this process thinking its the normal or proper thing to do.

This could be used maliciously. After a user installs a profile, the new certificates could be used in a man-in-the-middle attack. This has always been a known vulnerability, but has not been of major concern because while feasible, it’s impractical in most attack scenarios.

While this was not a serious security risk, it’s still good to see Apple adding one more level of ‘are you sure’ checks before allowing a root certificate to run wild.

How Do You Trust Manually Installed Root Certificates in iOS?

If your users are on iOS 10.3, they will need to follow the following steps to trust a certificate included in a profile

  1. Ensure they have installed the profile on their device.
  2. Open Settings.
  3. Navigate to General and then About.
  4. Select Certificate Trust Settings.
  5. Each root that has been installed via a profile will be listed below the heading Enable Full Trust For Root Certificates. Users can toggle on/off trust for each root.

If you are dealing with a large number of organization-controlled devices, you may want to consider using Apple Configurator or Mobile Device Management. Both of these tools are geared towards enterprise, and will automatically trust any included certificates.


Re-Hashed is a regular feature on Hashed Out where we feature an older article that some of our newer readers may not have had an opportunity to read yet. We also take a few minutes to update it as needed. We hope you enjoy, and thanks for reading!

17 comments
  • I really appreciate that I came across this posting. Thank you for explaining how to deal with a problem that I have been chasing for over four days. My devices are running iOS 10.3.2.

    At our college, we have a non-Internet server available only on our internal LAN. We use that server to process screen recordings using an app on iOS. I have several devices, so used Apple Configurator2 to install a profile that contains the (self-created by internal CA) root certificate for that server. The server is a Windows box running IIS7, and I have installed a certificate signed by that CA/root certificate.

    There are two situations that differ from your posting above, though:
    1) The Apple Configurator 2 profile builder indicates that the root certificate is *not* trusted. I don’t see a method for indicating or setting that trust. The profile does allow the certificate to be applied to the devices, however.

    Once the profile is installed on the device, I can view that certificate from (Settings) General -> Profile -> [select profile] -> More details. There, I tap the certificate and can read its contents, confirming it is the root cert I intended.
    2) Following the steps above to manually trust the root cert, (Settings) General -> About -> Certificate Trust Settings, there I only see the current version of the trust store (2016102100). The certificate that my profile installed is *not* listed and, thereby, has no toggle to set the trust. There is a link to “Learn more about trusted certificates” — but that Apple site only shows the list of available trusted root certificates in iOS.

    So, even though this article seemed the most helpful, it has not solved my problem.

  • …continuing:
    I poked around a bit on the macbook where I run Configurator2. I had previously installed the root certificate into the “System” Keychain, but I noticed today that the cert indicated it wasn’t trusted. I was able to configure some trust settings there in the Keychain and save them. Then, when I looked at the profile in Configurator2, the cert was marked as trusted! Oh rapture! I reinstalled the profile on my device. There is still no indication of the cert at all under Settings/ General/ About/ Certificate Trust Settings.

    Unfortunately, the app I need to use doesn’t seem to know about the cert… or there are other issues yet to be discovered.

  • This info solved my issue. Thank you so much for posting this info. I thought installing the profile was the only thing I had to do. Cheers

    • What was the resolution to your issue as I am having the exact same problem. no certificates listed under Certificate Trust Settings

  • Even I am having the same certificate issue, which I cannot trust the certificate manually on iPad.
    Please suggest any solutions

  • Hello from Mobile Device world, I am trying to get the CA root certificate to trust on multiple devices. I am using a MDM to push the CA to the devices, but it still not trusting the certificate onto the devices. You can see the certs under the profile, but the certs are not installing so there is no way to trust the cert on the device

  • I’m irritated. I also see the *untrusted* profile in Profiles, but nothing to select from in trust settings. But some DO see profiles there and seem to be able to switch on trust.

    So my question is: What’s the difference? In wich way do those certs that don’t show up – or the device configs – differ? Does it only work on managed devices? Do only certain roots (no MD5?) work? Does one have to prepare a profile? With what tool? (The original Apple device config tool seemst to be no longer available.)

  • Same as Nursoda, I see my “Not Verified” profile in profiles, but it doesn’t show up under the certificate trust settings area. Also, If I remove all profiles, I still have an option left under certificate trust settings that can’t be turned off. Shouldn’t that disappear when I remove the profile? Or at least shouldn’t I be able to turn it off with the slider?

  • Its so simple your were a complete moron to waste your hard earned money on CRAPPLE they make fools of thier slaves. Go ahead shine your masters shoes you stupid moronic slave, you were dumb enough to buy apple now serve your sentence!

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha *

Author

Vincent Lynch

The SSL Store’s encryption expert makes even the most complex topics approachable and relatable.