iOS 18 Bug -Certificate Trust Settings for Private Root Certificates Not Available

Importing an existing self- signed trusted root certificate no longer triggers option to trust cert in Settings / About / Certificate Trust Settings In iOS 18.

Cert installed manually from internal website, as email attachment, and using profile in Configurator all produce same result.

Same cert and processes work on iOS 16.7.10, iOS 17.6.1 and iPadOS 18.0

But not on iOS 18.0 nor beta iOS 18.1 beta5 on iPhone 16

Also tried regening a new test root on macOS Sonoma and installing using Configurator. No difference.

It’s broken - I’ve reported it by Feedback - it’s a vital security flaw.

Anyone else see this or have a workaround?

Answered by DTS Engineer in 815354022
After upgrading to iOS 18.2 b4, I can finally see the missing certificates in the Certificate Trust Settings

Yep. That gels with my expectations based on the resolution I see for the bug. Thanks for checking!

After upgrading to iOS 18.2 b4, I can finally see the missing certificates in the Certificate Trust Settings

Yeah, that’s a different, but obviously related issue. And so…

I submitted FB15921702

Thanks!

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

A different scenario and maybe a clue to what's broken in the Mail app?

I have an iPhone16Pro that was configured from a backup of an iPhone15Pro running iOS 17.7 with the same problem. Removing the mail accounts and restarting the phone did not work. Erasing all data and starting from fresh did not work.

I'm trying to connect to a dovecot instance with a cert signed by my own root certificate.

I then created a profile with those certs and installed it on the phone that had been restored once again from the iOS17.7 backup and had the mail account removed and the phone rebooted. After I installed the profile, I can see and have enabled my root cert in the Certificate Trust Settings on the phone.

When I add the Mail account, it negotiates the SSLv3/TLSv1.3 successfully. However, when the app tries to get mail, the mail server still gets the error code indicating that the client doesn't trust the certficate.

Note: The certs continue to work with Thunderbird as the mail client on macOS Sequoia 15.0.1.

I had a similar problem, but it was solved, and the root cause was the system configuration, not the certificate

A quick update…

First up, thanks for all the bug reports!

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures.

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

And just to head off the inevitable follow-up question… I don’t have any info to share as to when this will be fixed. All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures [...] … I don’t have any info to share as to when this will be fixed [...]

Glad to hear you found the root cause on your side. Take the time to properly fix it, no worries. Let us know if you need additional input.

I would also like to thank you for your open communication regarding the problem and bringing awareness of it to the developer team!

I can not add a cert generated by lets-encrypt. I assume this is the same issue as described here?

Thanks

Hey forum people, I was wondering if this is still an issue in iOS 18.1 and if it is how or if I fix it on my iPhone 15? I am happy to answer any and all questions concerning this issue. Thank you for taking the time to answer my question.

I can not add a cert generated by lets-encrypt. I assume this is the same issue as described here?

No. This thread is about adding trusted root certificates. You might, for example, want to do this if you’re managing a large organisation and you want to run an internal CA that issues certificates for your internal infrastructure.

Let’s Encrypt issues leaf certificates for servers on the public Internet. Its root certificate is trusted by default.

I was wondering if this is still an issue in iOS 18.1

Quoting myself here:

All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

in case some see those errors in dovcot logs, it seems related to this issue SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46

Strongly waiting a resolution !

@DTS Engineer Any update regarding iOS 18.2b2?

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures.

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

I can confirm that one of my devices that had the issue was updated from iOS 17 to iOS 18. The device is still broken and I am trying every update available and still waiting for the OS update that fixes the issue.

Heads up @DTS Engineer because the issue is not only related to iOS 16 or earlier, so it could happen that folks are not spotting the issue but something different. Hope this nuance can help to solve the issue.

Thank you, Sergio.

Someone asked about this in a separate context so I figured I’d post a quick update here. Unfortunately there’s not much to say. Yesterday we started seeding iOS 18.2b3 (22C5131e) and it doesn’t contain the fix for this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

We have had this same issue on 18.0, 18.0.1 and 18.1 when upgrading an iPhone and when pre-installed on a new iPhone. This blocks our customers from using our app. The only work around seems to be a factory reset, which is a very harsh thing to tell a customer.

More and more users are experiencing problems now. Will this issue be fixed in iOS 18.2 version?

Any update ?

It seems iOS 18 change something internal about CA security framework, when user update OTA from iOS 17, the CA cert no longer exits on “Certificate Trust Settings”

I do think it’s a huge bug regression, since iOS promised to allows user to upgrade to the latest version as quickly as possible, but this annoying bug is shipped to official iOS 18 version and non-QA test for this case.

The current ugly solution without totally reset the iPhone, is to edit the backup file via third-party Mac App to edit the sqlite database and plist file, which is more complicated for the end-user.

The ugly solution to use backup file and extract the old cert on your iPhone without jb

https://apple.stackexchange.com/questions/300203/how-can-i-delete-a-certificate-that-got-restored-from-a-backup-under-ios-10-11

Then, send this cert to your iPhone running iOS 18 and enable again, it should appears on Trust Setting page. You can remove it and reinstall with the new one.

iOS 18 Bug -Certificate Trust Settings for Private Root Certificates Not Available
 
 
Q