Professional Documents
Culture Documents
15/03/16 22:33
Five Tips for Using Self Signed SSL Certificates with iOS
SSL certificates are relatively cheap to purchase, but sometimes it would be easier if
you could create your own. You might need to setup SSL on development and test
servers that have different host names or on systems that will only ever be accessed
on your local network.
Self-signed SSL certificates allow you to quickly create certificates for free, without
having to pay a Certificate Authority (CA) or comply with any auditing requirements.
The downside of using self-signed certificates is that browsers will not automatically
trust sites that use them. In Mobile Safari you would see an error like this:
https://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/
Page 1 of 10
Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog
15/03/16 22:33
The rest of this post provides tips on how to setup iOS to avoid these errors and how
to simplify the creation and management of self signed certificates.
https://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/
Page 2 of 10
Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog
15/03/16 22:33
This would allow you to open the site in Safari, but there are two significant downsides:
1. Accepting the certificate in Safari just adds an SSL exception that prevents Safari
warning you about the site. It doesnt install the certificate as a trusted certificate
on iOS. Any other apps (e.g. Chrome, HttpWatch, etc) on the device will still fail
to connect to the site.
2. Once the SSL exception is added there doesnt seem to be a way to remove it in
iOS 7. In previous versions going to Settings->Safari and selecting Clear Cookies
and Data would delete it. This no longer seems to work in iOS 7 (please leave a
comment if you know how to do this).
https://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/
Page 3 of 10
Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog
15/03/16 22:33
Then select Install to add the certificate. Once youve done this you use the certificate
without warnings in Safari or other iOS apps that use the devices keychain..
Also unlike Safari SSL exceptions, you can access the certificate at any time in
Settings->General->Profiles and remove it if required:
https://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/
Page 4 of 10
Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog
15/03/16 22:33
Apple provides an iPhone configuration utility for Mac and PC that can also install
certificates. This would be a better option where email is not available or you have a
larger number of iOS devices to manage.
https://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/
Page 5 of 10
Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog
15/03/16 22:33
Unfortunately, IIS uses the computer name as the host name in the certificate:
It most cases the computer name will not match the intended host name and you end
up with a self-signed certificate that is never trusted even when it is added to iOS:
https://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/
Page 6 of 10
Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog
15/03/16 22:33
Its possible to fix this problem by installing and running the SelfSSL tool from the IIS 6
Toolkit. However, its probably easier just to use OpenSSL as described in the next tip.
You can use any filenames you like for the key and certificate (.cer) files. The /CN
https://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/
Page 7 of 10
Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog
15/03/16 22:33
Theres even a site to do this if you dont feel like downloading OpenSSL, but of course
its more secure to do it yourself.
On Apache servers the key and certificate file can be used directly in your SSL
configuration. With IIS you need a PFX file so that you can import the certificate into
the Server Certificates section of IIS. OpenSSL can create the PFX file for you as well:
openssl pkcs12 -export -out myselfsigned.pfx -inkey myselfsigned.key
-in myselfsigned.cer
The certificate file (myCA.cer) created above can be publicly shared and installed on
iOS or other OSs to act like a built in trusted root CA. Custom CA certificates on iOS
are also stored in General->Settings->Profile:
https://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/
Page 8 of 10
Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog
15/03/16 22:33
The private key file (myCA.key) is only used when creating new SSL certificates.
You can create as many certificates as you like based on this CA certificate. Theres an
extra step involved because you have to create a CSR (Client Signing Request) as if
you were purchasing a commercial SSL certificate.
First you would create a private key:
openssl genrsa -out mycert1.key 2048
https://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/
Page 9 of 10
Five Tips for Using Self Signed SSL Certificates with iOS | HttpWatch BlogHttpWatch Blog
15/03/16 22:33
The certificate created (mycert.cer) can be installed on a web server and accessed
from any iOS device that already has the CA certificate installed.
UPDATED September 24th, 2015 The OpenSSL certificate creation commands now
include the -sha256 flag to avoid browser warnings about the use of SHA1. This tip
was provided in a comment by Giancarlo Gomez Thanks
https://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/
Page 10 of 10