iOS 13 Self Signed SSL certificate updates in Mail

I can confirm that it IS possible to get a self-signed certificate working well with iOS 13.2.3 Mail, Calendars (when using CalDAV) and Contacts (when using CardDAV).

It took me a lot of trial and error. The two parts to the task are 1) getting the new certificate right and 2) using the right way to get the certificate accepted by the iOS device.

I've described the detailed steps I used here: https://7402.org/blog/2019/new-self-signed-ssl-cert-ios-13.html. There are likely to be variations, depending on your server.

To get the certificate accepted, I found the convenient way for me was to email the .crt file to the iOS device, and then double-click the attached file in the email message. Then go to Settings, and proceed to the category for "Downloaded Profile" (which magically appears near the top) and install and trust it. Then, very important, you must also go to Settings App > General > About > Certificate Trust Settings and enable the certificate, as described in Trust manually installed certificate profiles in iOS and iPadOS - Apple Support.

If you see the dreaded Cancel / Details / Continue dialog at any point, it means the certificate was not installed correctly. Also, I found none of the buttons in that dialog useful for permanently accepting the cert.

To generate the certificate, I used the openssl command line utility on my Linux (CentOS 7) server; the steps are probably different for someone using an OS X server so I won't summarize the ones I used here. However, the best tip I can give is to use this openssl command afterwards to check the certificate:

openssl x509 -text -in example.crt -noout

You should see lines like this to verify that at least these two of the new requirements (Requirements for trusted certificates in iOS 13 and macOS 10.15 - Apple Support) have been met:

        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:example.com
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication

Use of self-signed-certificates on IPAd 13.1.2 is broken.

I used the same Certificate on iPhone (iOS 13.1.2), there the Account works.

1. Download your Certificate; i use to distribute the CERT with my webserver (*.crt works fine)
2. Import Certificate to Profiles, look @Settings/Profiles, enable the profile there
3. then go to Settings/Info/Certificate-Trust (bottom of page) to enable Trust of the Certificate
4. enable certificate trust
5. make a new mailaccount, choose, if you ask for, manual
6. make all settings, safe the setting (never look for details, there arn't any)

• on iPhone: green marks appearing
• on IPad: Failure (same OS Version)

Result: Account works on iPhone, not on iPad

Sometimes it is not a question of certificate (only a bug in iOS).

:-)

In SAFARI, booth devices are working (website with self-signed-cert shows no warning .

Disclaimer: I am NOT an openssl, TLS, SSL, or security expert of any kind. I cobbled the recipe below together yesterday, and it is working for my needs. It may not be secure, use at your own risk, flames about my ignorance cheerfully ignored.

Thanks to Celia, I got it done using openssl. Here's what I did:

1. Made a simple config text file using an example from another post and hints from here (fill in your details between the <brackets> to customize for your use):

csr_details.txt

[req]

prompt=no

req_extensions=req_ext

distinguished_name=dn

[dn]

C=<your country code, e.g. US>

ST=<your state or region name>

L=<your city or town>

O=<your organization name>

OU=<any sub name like a division of your organization>

emailAddress=postmaster@<your domain>

CN=<server name you will point your email clients at>

[req_ext]

subjectAltName=@alt_names

[alt_names]

DNS.1=<server name you will point your email clients at>

Used this openssl command to generate cert and keyfile - I use dovecot as my IMAP server, hence the names - you can pick your own names:

openssl req -newkey rsa:2048 -sha256 -x509 -new -days 824 -nodes -out certs-dovecot.pem -keyout key-dovecot.pem -config <( cat csr_details.txt )

I copied the two files to my Linux server, then as root I stopped dovecot with /etc/init.d/dovecot stop, mv'd certs-dovecot.pem to /usr/share/ssl/certs/dovecot.pem (change this path for your IMAP server particulars), mv'd key-dovecot.pem to /usr/share/ssl/private/dovecot.pem (again, change path as required), made sure both files were owned by root and chmod'd to 400 to be read only by root. Then I restarted dovecot with /etc/init.d/dovecot start.

Next, on my Mac, I used Keychain Access to import certs-dovecot.pem. I right clicked on it and selected Get Info. I then opened the Trust menu in the window that popped up and selected the top Always Trust option. That got it working on my Mac.

I then attached certs-dovecot.pem to an email on another, working, Gmail account and mailed it to myself. I followed Celia's instructions above, with ONE change - I had to power cycle my iPhone after Step 4, then continued at 5, in order to get the all-important Continue option.

HTH, YMMV

I´ve noticed the same problem with selfigned cerificate on Kerio Connect mail server. It appeared with iOS 13.

I´ve found out a work-arround by erasing the mail account on the phones and create new accounts without using SSL (the phone suggested that). Only shutting SSL of did not work. It is off course no good (safe) sollution so I´m looking faward to the next iOS (using 13.1.2 now...)

Even with an updated certificate you'll need to delete the account off of your device, restart, then re-enter your account information. You'll be presented with the familiar " Continue Details Cancel" dialogue box. The "Details" button still does nothing, but hitting "Continue" will let you proceed with SSL active.

That advice was given in another one of these mail certificate threads. After a restart the old cert seems to be cleared out.

I'm seeing the same problem independently of OSX server. The "Details" pop-up window isn't being called by the button, or not visibly rendering in iOS 13.

Oh that's brilliant. I wish that I'd known that this would work two days ago. Thank you!

How can I get my iphone to trust a self signed certificate?

The details on the error popup doesn't work and have no option to trust anyway.