Science & Engineering CSCE








Common errors: Cannot verify server identity. SSL certificate could not be verified. A self signed certificate and was not issued by a trusted CA.

Self-signed certificates, to a browser, can be dangerous.

How can you use them effectively on iOS?

Using client-side certificates (i.e. Custom CAs).

Browsers normally expect Certified Authorites (CAs) to verify that you own a website domain. Yet, there is no way to verify a certificate for your local IP.

If you need HTTPS on iOS, you may need to create a custom CA and have each iPhone install that CA's CA Certificate.

What are Root CAs, CA Certificates, or client-side certs?

Client-side certificates are like master keys that all your other server-side certs were created with. Installing client-side certs is complex on iOS, but still worth doing. Instead of needing to trust each website's own server-side cert, client-side certs will verify these websites automatically. For the user, it can be a much better experience!

— iOS users need to install client-side certs. —

iOS web apps that want to use MediaDevices and getUserMedia need to have HTTPS. For LAN servers, self-signed client-side certificates work and enable Camera, Microphone, Screen recording, and other APIs in JavaScript.

— Only one cert needs to be installed for all your sites. —

What do I need to make my own client-side certificates?

Simple tools for certs on macOS & linux (see Windows).

            🧮. http-server (simple testing server)
            🖤. openssl (create, edit certificate)
            🗞. makecert (all-in-one tool)

Your first self-signed client-side certificate.

              openssl genrsa -out client-side.key 2048
              openssl req -x509 -sha256 -new -key client-side.key -out client-side.cer -days 365 -subj /CN="My CA Cert."

How does it work?

These commands create two files, your private RSA key & your client-side / master key.

The first command gives you a personal signature. The second makes a certificate signed with the client-side.key.

WARN: This cert is not verified by any official Certificate Authorites

What's next?

You'll need to put client-side.cer on your iOS device.

1) You can use email (email your users), iMessage (group message or private), or host the file on an HTTP server for them to visit & download.

2) When an iOS user opens the file, or taps a download link, it will ask if they would like to install that configuration profile. It will appear right below their picture in the Settings app.

— The install & trust process for certificates is complex on iOS, but it's worth doing. —

3) Next, go into Settings to the configuration profile. Here you can install it.

4) After installing, it will show up in Settings > General right below VPN as Profile. Tap Profile, then your profile will appear. Approve it if it does not say Verified in green.

5) Finally, leave Profile, scroll to the top of General to About. Tap About then scroll to the very bottom. Tap on Certificate Trust Settings. Here you should see your installed & verified profile. Now enable full trust, by toggling the switch.

Your profile is now enabled for HTTPS server-side cert verification.

I installed & verified my client-side certificate. My sites are still not trusted. The server-side certificates are not being verified!

Client-side certificates work by matching its key to the server-side certificate's key. To get this to work, you will need to make your website's server-side cert differently. In addition, Apple has strict & updated requirements for server-side certificates. We will next consider these changes.

— 5 major requirements for server-side certs.
Certs that don't meet these won't be verified. —

Private keys must have a length of 2048

This requirement is met by creating keys openssl genrsa with 2048 or more of key length. Our default tutorial already meets this.

Hash algorithyms much be at least SHA 2 family

This requirement is met by creating certificate requests with openssl req -sha256. Our default tutorial already meets this.

Subject Name (-subj) will not use CN for Servers.

This requirement is more complicated. You will want update openssl to at least 1.1.1. Then you can use -addext to add two new extensions. Here we will add subjectAltName & certificatePolicies. The default tutorial doesn't include this, we will cover it in this article.

NotAfter (-days) cannot be longer than 825 days.

This requirement is met by creating certificates with -days less than 826 days. Our default tutorial already meets this.

ExtendedKeyUsage must contain at least TLS Web Server Authentication.

This requirement is more complicated. We will cover how to meet this further in this article.

            openssl genrsa -out server-side.key 2048
            openssl req -new -subj /CN= 
                -addext "subjectAltName = IP:" 
                -addext "certificatePolicies =" 
                -key server-side.key -out server-side.req
            openssl x509 -req -sha256 -in server-side.req 
                -out server-side.cer -CAkey client-side.key 
                -CA client-side.cer -days 365 
                -extfile <(printf "extendedKeyUsage = serverAuth \n subjectAltName=IP:") 
                -CAcreateserial -CAserial serial 

Command Line Explained

Line one:

Check out the explaination from our first tutorial.

Line two:

Showing only changes from the first tutorial.

-addext Allows you to add extension data for your certificate requests.

subjectAltName An extension for your CN from the first tutorial.

IP: Here you put your own IP or, if you use a domain name,

certificatePolicies This extension value may be important for future iOS certificates.

Line three:

Showing only changes from the first tutorial.

-CA this option needs your client-side cert.

-CAkey this option needs your client-side key.

-CAserial this option creates a file for your certificate serial string.

-CAcreateserial this option forces openssl to create the serial string.

-extfile this option adds a file with all the extensions for your certificate.

<(printf "..." ) this sub-command pretends to create a file and gives it to -extfile.

Ask questions to relations for