Installed root certificate is not listed in "Certificate Trust Settings" due to iOS bug

[ceoimon]

No description provided.

[FiloSottile]

I'm not sure I understand the issue, can you provide some more details?

[ceoimon]

I'm trying to use the certificate on my iPhone (running iOS 11.4).

After I installed the certificate(rootCA.pem), it is not showing up in the (Settings > General > About > Certificate Trust Settings) and therefore I can't follow the Enable full trust for root certificates instruction.

I am also able to reproduce the issue on an iPhone simulator:

[J132134]

I have the same problem, too

[ghost]

scep allows the Certificate to be trusted automatically.

https://github.com/micromdm/scep

Also MDM golang server there too :)

[tomodian]

having the same issue.

[FiloSottile]

🤬 https://forums.developer.apple.com/thread/89568

It's a bug in iOS, I'll work around it. Should manage to pull off reissuing the same CA without having to remake all certificates.

[FiloSottile]

Nope, fixing this will require reissuing the roots. I had an idea to misuse AuthorityKeyID (https://twitter.com/FiloSottile/status/1023564776834826240) but turns out we don't add one to our roots =(

[FiloSottile]

This should be fixed in the upcoming v1.0.1 version.

If you have already used mkcert, you need to update it, and then regenerate the root.

mkcert -uninstall
rm -r "$(mkcert -CAROOT)"

Skip the -uninstall step if you want existing certificates to keep working.

[shri3k]

Hey @ceoimon did you ever get this working? I've tried updating mkcert as mentioned by @FiloSottile but I still don't see it in "Certificate Trust Settings".
Installed rootCA.pem on both Emulator and real device and don't see it in "Certificate Trust Settings" on either of them. I'm not sure what I'm doing wrong.

[FiloSottile]

Did you delete the root and regenerated it?

[shri3k]

I think this command essentially does that if I'm not mistaken.

rm -r "$(mkcert -CAROOT)"

I did however went and ran mkcert -uninstall too just for good measure.
I'm scratching my head and wanted to see if others got it working too. This is in iPhone XS Max (iOS 12.1) Emulator if it helps at all.

Also, one small request. Would it be possible to have mkcert display the current version it's running? I think I have the right binary in my GOPATH for mkcert. I checked the src and it had the latest commit from master branch but was unable to tell which version of binary I was running apart from checking the "modified date" of the binary.

I love the simplicity of this tool if I haven't mentioned that already. 😃

[Epho]

Anyone else still having issues? I just installed the latest mkcert and am unable to see the cert in "Certificate Trust Settings". I tried uninstalling, deleting the root, and regenerating, for good measure, but no dice.

[FiloSottile]

@Epho Please open a new issue and we'll look into it!