česky | deutsch | english | français | --- more step-by-step descriptions
Work in progress.
The content has still to be rewrote in good English; it originates from tutorial written in French
A temporary document is available on Google Docs.
Import and activate CAcert root certificates on iOS
This guide describes how to import CAcert root certificates into a mobile device running iOS, so that CAcert will be recognized as a trusted CA by this device. Thus, the operating system and the installed applications will accept all the client and server certificates signed by CAcert by means of one or the other of its root certificates.
Contents
As you probably already know, CAcert makes two root certificates available to the public:
Root CA SHA256 |
Class 1 root certificate, self-signed using the SHA256 algorithm |
SN 0x00000F (15) |
Class 3 Root SHA256 |
Class 3 intermediate root certificate, signed by Root CA with the SHA256 algorithm |
SN 0x00000E (14) |
Since the class 3 certificate is signed by the class 1 certificate, it is sufficient to let iOS know your confidence in the class 1 certificate so that it also automatically trusts the class 3 certificate. Only the class 1 root certificate, which does not receive its validity from any other (because it is self-signed), requires this particular confirmation from the user.
It remains obviously necessary to manually import on the mobile device either of the two root certificates.
iOS - Import and activate
Apple's operating system has its own logic and makes it necessary to distinguish two stages:
1st step - the import of certificates into the device: it is a matter of downloading, then accepting the installation of each of the two certificates; at the end of this step, certificates are available and verified, but are not yet usable;
2nd step - activating the class 1 root certificate on the device; it's about explicitly designating the self-signed root certificate as "fully trusted"; at the end of this step, the operating system and applications will be able to use it, and will automatically extend this trust to the Class 3 Intermediate Certificate.
The user performs these two steps through different screens, in the settings and settings of his device.
Importing certificates
To import CAcert Class 1 and 3 root certificates, simply go to the CAcert website using the device's Internet connection:
launch the Safari browser on your iPhone or iPad;
display the web page from which to download Root CA SHA256 and Class 3 Root SHA256 certificates:
Root CA SHA256 |
||
Class 3 Root SHA256 |
from the Safari browser window, click on the web hyperlink inviting to download;
in response to questions from iOS, agree to install the certificate by systematically choosing the answers which forwards to the next screen.
For example, let's first import the Class 3 Root certificate:
|
|
Click on |
Enter the PIN code |
|
|
Click again on |
The Class 3 Root certificate is installed |
Note: iOS does not grant "verified" status to the Class 3 Root intermediate root certificate until the Root CA top root certificate has also been imported.
Repeat the same procedure to import this time the CA Root certificate:
|
|
Click on |
Enter the PIN code |
|
|
Click again on |
The Root CA certificate is installed |
You can view the list of already installed certificates at any time by returning to the control panel accessible under Settings -> General -> Profiles.
|
|
|
The Profiles configuration panel |
The Class 3 Root certificate |
The Root CA certificate |
The Class 3 Root certificate automatically obtains the verified status, from the moment the Root CA certificate has also been imported.
It will be understood that the same procedure is to be repeated individually for each certificate; it is equal to import one or the other first.
Enable the class 1 root certificate
The next step in making the certificates usable by the operating system and applications is to let iOS know your trust in the Root CA Class 1 certificate.
For that:
open the accessible control panel under Settings -> General -> About -> Certificate Trust Settings
the name of the Root CA certificate you just imported appears on this screen ; Class 3 Root trust is a mechanical consequence of trusted Root CA, the control panel does not show the name of the Class 3 Root certificate;
flip the switch to the green position, in order to confirm to iOS your full trust in CAcert root certificate.
|
|
|
Access the control panel |
Accept to trust the certificate |
Procedure completed |
From that moment on, the CAcert CA is recognized on your mobile device with the same degree of trust as any of the other CAs whose certificates are pre-installed.
Troubleshooting
Assuming that the Certificate Trust Settings control panel in the device settings does not display the name of the CA Root certificate, check that the certificate actually imported in the previous step is the Root CA SHA256 certificate and not the Root CA MD5 certificate, the later being now obsolete. Although both certificates are the same, in their recent versions, iOS and other operating systems do not allow the user to trust CAcert's root certificate when it is signed using the MD5 algorithm.
If Root CA MD5 (with serial number 0x000000 (0)) is mistakenly imported, simply delete it from the control panel accessible under Settings -> General -> Profiles and restart the procedure for downloading, installing and trusting the same certificate, taking care to choose this time Root CA SHA256 (with serial number 0x00000F (15)).
Relevant iOS versions
This guide has been written for iOS versions 11 and 12.