iOS 18 Bug -Certificate Trust Settings for Private Root Certificates Not Available

Importing an existing self- signed trusted root certificate no longer triggers option to trust cert in Settings / About / Certificate Trust Settings In iOS 18.

Cert installed manually from internal website, as email attachment, and using profile in Configurator all produce same result.

Same cert and processes work on iOS 16.7.10, iOS 17.6.1 and iPadOS 18.0

But not on iOS 18.0 nor beta iOS 18.1 beta5 on iPhone 16

Also tried regening a new test root on macOS Sonoma and installing using Configurator. No difference.

It’s broken - I’ve reported it by Feedback - it’s a vital security flaw.

Anyone else see this or have a workaround?

Answered by DTS Engineer in 811930022

A quick update…

First up, thanks for all the bug reports!

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures.

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

And just to head off the inevitable follow-up question… I don’t have any info to share as to when this will be fixed. All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

A different scenario and maybe a clue to what's broken in the Mail app?

I have an iPhone16Pro that was configured from a backup of an iPhone15Pro running iOS 17.7 with the same problem. Removing the mail accounts and restarting the phone did not work. Erasing all data and starting from fresh did not work.

I'm trying to connect to a dovecot instance with a cert signed by my own root certificate.

I then created a profile with those certs and installed it on the phone that had been restored once again from the iOS17.7 backup and had the mail account removed and the phone rebooted. After I installed the profile, I can see and have enabled my root cert in the Certificate Trust Settings on the phone.

When I add the Mail account, it negotiates the SSLv3/TLSv1.3 successfully. However, when the app tries to get mail, the mail server still gets the error code indicating that the client doesn't trust the certficate.

Note: The certs continue to work with Thunderbird as the mail client on macOS Sequoia 15.0.1.

I had a similar problem, but it was solved, and the root cause was the system configuration, not the certificate

A quick update…

First up, thanks for all the bug reports!

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures.

Most folks don’t see this because they’re updating from iOS 17, and the migration works correctly in that case.

And just to head off the inevitable follow-up question… I don’t have any info to share as to when this will be fixed. All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Based on your bugs we think we understand what’s happening here. As folks have noted on this thread, it seems to be related to updating from iOS 16 or earlier, either directly or from a restored backup. The system is not correctly handling the migration from an older form of its internal data structures [...] … I don’t have any info to share as to when this will be fixed [...]

Glad to hear you found the root cause on your side. Take the time to properly fix it, no worries. Let us know if you need additional input.

I would also like to thank you for your open communication regarding the problem and bringing awareness of it to the developer team!

I can not add a cert generated by lets-encrypt. I assume this is the same issue as described here?

Thanks

Hey forum people, I was wondering if this is still an issue in iOS 18.1 and if it is how or if I fix it on my iPhone 15? I am happy to answer any and all questions concerning this issue. Thank you for taking the time to answer my question.

I can not add a cert generated by lets-encrypt. I assume this is the same issue as described here?

No. This thread is about adding trusted root certificates. You might, for example, want to do this if you’re managing a large organisation and you want to run an internal CA that issues certificates for your internal infrastructure.

Let’s Encrypt issues leaf certificates for servers on the public Internet. Its root certificate is trusted by default.

I was wondering if this is still an issue in iOS 18.1

Quoting myself here:

All I can say right now is that the bug is still present in the latest iOS 18.2b1 seed (22C5109p).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

in case some see those errors in dovcot logs, it seems related to this issue SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46

Strongly waiting a resolution !

iOS 18 Bug -Certificate Trust Settings for Private Root Certificates Not Available
 
 
Q