This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deploy https certificate to iOS

We deploy an iOS configuration file to all of our iOS devices. Included in the iOS config file are our certificates from our CA. It includes a user certificate for Exchange authentication and authentication to our wireless via RADIUS. In all offices users automatically authenticate to the wireless from their iOS device.

We have also deployed the Proxy CA certificate from the UTM as we have the https filtering set to scan and decrypt on our wireless network. The https certificate is deployed to all of our laptops and works with no issues.

However, on the iOS devices we still get the warning that the site certificate cannot be verified and with some sites the navigation just stops. Has anyone else seen this or have any ideas on deploying this to an iOS device?


This thread was automatically locked due to age.
Parents
  • I have the exact same issue as collinsandlacy did a few years ago.  I have been using UTM for years, but I never bothered with HTTPS scanning until I got married and had a teenager move into the house.  Now we need to ensure that things aren't being done that shouldn't be done.

     

    With that said, I have enabled Decrypt and Scan, and I have imported the Web Filtering CA into my iPhone.  Everything says that it installed properly, but I still cannot get to any modern search engine from my phone... https://www.google.com, https://www.bing.com, https://www.duckduckgo.com, etc., etc.

     

    Any help with with HTTPS scanning and iOS would be GREATLY appreciated.

     

    I am running UTM 9.51 and iOS 11.4.

     

    Thank you!

  • Maybe my answer comes too late, but anyway.

    It is NOT enough to import the certificate. After installing which is a simple click on the User Portal, import, confirm, etc ... you have to go to Settings -> General -> Information -> SCROLL TO THE BOTTOM ... last command should be “Configurations Certificate Trust” ... go in there and ENABLE it.

    This did the trick for me.

    Regards,

  • Hi mircevski

    No, not at all too late; really rather astonishingly fortuitous timing, in fact! :-)

    I did not need that additional step with my iPhone 4, but I have recently procured an iPhone 6 (£99 and it has a nice new screen) so I'm now on a current iOS version. Of course, one of the first things that I did was to add my dodgy CA, but I didn't even bother to then actually test it - I just assumed that it would be working - and then whilst doing my daily forum browse, I spotted your above tip. Anyhow, I just tried the iPhone browser and sure enough, it was not actually working, so I've performed the above additional step and all is now well. Thank you very much for posting that and as I say, it was mighty fine timing, too!

    Kind regards,
    Briain

  • Hi,

    Always glad to help, since I had a hard time myself when implementing this.

    Cheers,

  • Hi Folks

    Curiously, I looked at my e-mail using my iPhone 8 this morning, and after clicking on the Sophos Naked Security e-mail link to the article about a Raspberry Pi being blasted into space and sending back a video of the earth (who could resist a headline like that?) I was surprised to be presented with a site trust issue. Looking at my phone's settings (Settings -> General), I immediately spotted that the 'Profile' section was no longer populated with my [UTM generated] CA entry. I can't be sure when it was deleted, but my guess was that the recent update to iOS 12.4.1 was the culprit (to be honest, I thought I'd used the phone for www brosing since then, but I cannot be certain and that seems the most logical explanation for its demise). 

    Anyhow, whatever the reason for my CA deletion from its root store, when re-doing things I noticed that the path to the 'enabling it' section has very slightly changed from the one noted mircevskis's post, so just a brief note for anybody else who needs to re-import their CA in an iOS 12.4.1 iThing, it is now as described below (with the bold word highlighting the minor change):

    1. Download the cacert.pem file in the usual way (via entering http://passthrough.fw-notify.net/cacert.pem into Safari).

    2. Navigate to: Settings -> Profile <My downloaded CA> then at the top of that setting page, select the 'Install' option (then you'll be prompted for your iOS password) and after a couple more 'install' prompts, it'll eventually show it as being installed (and you'll see 'Verified' and a tick, both in a green font) so thus far, the process is the same as it previously was.

    3. Now you have to navigate to Settings -> General -> About -> Certificate Trust Settings (then toggle the switch to enable it).

    All the best to all!

    Bri :-)

Reply
  • Hi Folks

    Curiously, I looked at my e-mail using my iPhone 8 this morning, and after clicking on the Sophos Naked Security e-mail link to the article about a Raspberry Pi being blasted into space and sending back a video of the earth (who could resist a headline like that?) I was surprised to be presented with a site trust issue. Looking at my phone's settings (Settings -> General), I immediately spotted that the 'Profile' section was no longer populated with my [UTM generated] CA entry. I can't be sure when it was deleted, but my guess was that the recent update to iOS 12.4.1 was the culprit (to be honest, I thought I'd used the phone for www brosing since then, but I cannot be certain and that seems the most logical explanation for its demise). 

    Anyhow, whatever the reason for my CA deletion from its root store, when re-doing things I noticed that the path to the 'enabling it' section has very slightly changed from the one noted mircevskis's post, so just a brief note for anybody else who needs to re-import their CA in an iOS 12.4.1 iThing, it is now as described below (with the bold word highlighting the minor change):

    1. Download the cacert.pem file in the usual way (via entering http://passthrough.fw-notify.net/cacert.pem into Safari).

    2. Navigate to: Settings -> Profile <My downloaded CA> then at the top of that setting page, select the 'Install' option (then you'll be prompted for your iOS password) and after a couple more 'install' prompts, it'll eventually show it as being installed (and you'll see 'Verified' and a tick, both in a green font) so thus far, the process is the same as it previously was.

    3. Now you have to navigate to Settings -> General -> About -> Certificate Trust Settings (then toggle the switch to enable it).

    All the best to all!

    Bri :-)

Children
No Data