## Obsolete content removed on the 2018-11-05
## New content translated from French original text. FD
## 20210714 AK
----
[[HowToDocuments/iOSCertificateImport/CZ|česky]] | [[HowToDocuments/iOSCertificateImport/DE|deutsch]] | '''english''' | [[HowToDocuments/iOSCertificateImport/FR|français]] | --- [[HowToDocuments|more step-by-step descriptions]]
----
{{{#!wiki note
Work in progress.
<
>
The content has still to be rewrote in good English; it originates from [[HowToDocuments/iOSCertificateImport/FR|tutorial written in French]]
<
>
A temporary document is available on [[https://translate.google.fr/translate?sl=fr&tl=en&js=y&prev=_t&hl=fr&ie=UTF-8&u=http%3A%2F%2Fwiki.cacert.org%2FHowToDocuments%2FiOSCertificateImport%2FFR&edit-text=|Google Docs]].
}}}
= Import and activate CAcert root certificates on iOS =
This guide describes how to '''import''' CAcert root certificates into a mobile device running '''iOS''', so that CAcert will be recognized as a '''trusted''' CA by this device. Thus, the operating system and the installed applications will '''accept''' all the client and server certificates '''signed''' by CAcert by means of one or the other of its root certificates.
<
>
<>
<
>
As you probably already know, CAcert makes ''two'' root certificates available to the public:
<
>
|| '''Root CA''' SHA256 ||<)> Class 1 root certificate, self-signed using the SHA256 algorithm||<(> SN 0x00000F (15)||
|| '''Class 3 Root''' SHA256 ||<)> Class 3 intermediate root certificate, signed by Root CA with the SHA256 algorithm||<(> SN 0x00000E (14)||
<
>
Since the ''class 3'' certificate is signed by the ''class 1'' certificate, it is sufficient to let iOS know your confidence in the class 1 certificate so that it also automatically trusts the class 3 certificate. Only the class 1 root certificate, which does not receive its validity from any other (because it is self-signed), requires this particular confirmation from the user.
It remains obviously necessary to manually import on the mobile device either of the two root certificates.
<
>
== iOS - Import and activate ==
Apple's operating system has its own logic and makes it necessary to distinguish two stages:
* '''^1st^ step - the import''' of certificates into the device: it is a matter of downloading, then accepting the installation of each of the two certificates; at the end of this step, certificates are available and '''verified''', but are not yet '''usable''';
* '''2^nd^ step - activating''' the class 1 root certificate on the device; it's about explicitly '''designating''' the self-signed root certificate as "'''fully trusted'''"; at the end of this step, the operating system and applications will be able to use it, and will automatically extend this trust to the Class 3 Intermediate Certificate.
The user performs these two steps through different screens, in the settings and settings of his device.
<
>
=== Importing certificates ===
To import CAcert Class 1 and 3 root certificates, simply go to the CAcert website using the device's Internet connection:
* launch the '''Safari''' browser on your iPhone or iPad;
* display the web page from which to '''download''' '''Root CA''' SHA256 and '''Class 3 Root''' SHA256 certificates:
<
>
|| '''Root CA''' SHA256 ||<)> [[http://www.cacert.org/index.php?id=3|Choose the class 1 root certificate in PEM format]]||[[http://www.cacert.org/certs/root_X0F.crt|Direct download]]||
|| '''Class 3 Root''' SHA256 ||<)> [[http://www.cacert.org/index.php?id=3|Choose the class 3 intermediate certificate in PEM format]]||[[http://www.cacert.org/certs/class3_x14E228.crt|Direct download]]||
<
>
* from the '''Safari''' browser window, click on the web '''hyperlink''' inviting to download;
* in response to questions from iOS, '''agree''' to install the certificate by systematically choosing the answers which forwards to the next screen.
<
>
* For example, let's first import the '''Class 3 Root''' certificate:
<
>
||<:>{{attachment:iOS_Step#1a-1_small.png}}||<:>{{attachment:iOS_Step#1a-2_small.png}}||
||<:>'''Click on<
>''Install'''''||<:>'''Enter the PIN code<
>of the device'''||
<
>
||<:>{{attachment:iOS_Step#1a-4_small.png}}||<:>{{attachment:iOS_Step#1a-5_small.png}}||
||<:>'''Click again on<
>''Install'''''||<:>'''The ''Class 3 Root'' certificate is installed<
>but not ''verified'' yet'''||
Note: iOS does not grant "verified" status to the '''Class 3 Root''' intermediate root certificate until the '''Root CA''' top root certificate has also been imported.
<
>
* Repeat the same procedure to import this time the '''CA Root''' certificate:
<
>
||<:>{{attachment:iOS_Step#1b-1_small.png}}||<:>{{attachment:iOS_Step#1b-2_small.png}}||
||<:>'''Click on<
>''Install'''''||<:>'''Enter the PIN code<
>of the device'''||
<
>
||<:>{{attachment:iOS_Step#1b-4_small.png}}||<:>{{attachment:iOS_Step#1b-5_small.png}}||
||<:>'''Click again on<
>''Install'''''||<:>'''The ''Root CA'' certificate is installed<
>and actually ''verified'''''||
<
>
* You can view the list of '''already installed''' certificates at any time by returning to the control panel accessible under '''Settings''' -> '''General''' -> '''Profiles'''.
<
>
||<:>{{attachment:iOS_Step#1c-1_small.png}}||<:>{{attachment:iOS_Step#1c-2_small.png}}||<:>{{attachment:iOS_Step#1c-3_small.png}}||
||<:>'''The ''Profiles'' configuration panel<
>list the installed certificates'''||<:>'''The ''Class 3 Root'' certificate<
>appears ''verified'''''||<:>'''The ''Root CA'' certificate<
>appears ''verified'''''||
The '''Class 3 Root''' certificate automatically obtains the ''verified'' status, from the moment the '''Root CA''' certificate has also been imported.
<
>
It will be understood that the same procedure is to be repeated individually for each certificate; it is equal to import one or the other first.
<
>
=== Enable the class 1 root certificate ===
The next step in making the certificates usable by the operating system and applications is to let iOS know your '''trust''' in the '''Root CA''' Class 1 certificate.
For that:
* open the accessible control panel under '''Settings ->''' '''General''' -> '''About''' -> '''Certificate Trust Settings'''
* the name of the Root CA certificate you just imported '''appears on this screen''' ; Class 3 Root trust is a mechanical consequence of trusted Root CA, the control panel does not show the name of the Class 3 Root certificate;
* flip the switch to the '''green position''', in order to confirm to iOS your '''full trust''' in CAcert root certificate.
<
>
||<:>{{attachment:iOS_Step#2-1_small.png}}||<:>{{attachment:iOS_Step#2-2_small.png}}||<:>{{attachment:iOS_Step#2-3_small.png}}||
||<:>'''Access the control panel<
>''Certificate Trust Settings'''''||<:>'''Accept to trust the certificate<
>despite the strong warning'''||<:>'''Procedure completed<
>with success!'''||
<
>
From that moment on, the CAcert CA is recognized on your mobile device with the same degree of trust as any of the other CAs whose certificates are pre-installed.
<
>
== Troubleshooting ==
Assuming that the ''Certificate Trust Settings'' control panel in the device settings does not display the name of the CA Root certificate, check that the certificate actually imported in the previous step is the Root CA SHA256 certificate and not the Root CA MD5 certificate, the later being now obsolete. Although both certificates are the same, in their recent versions, iOS and other operating systems do not allow the user to trust CAcert's root certificate when it is signed using the MD5 algorithm.
If '''Root CA MD5''' (with serial number 0x000000 (0)) is mistakenly imported, simply delete it from the control panel accessible under '''Settings''' -> '''General''' -> '''Profiles''' and restart the procedure for downloading, installing and trusting the same certificate, taking care to choose this time '''Root CA SHA256''' (with serial number 0x00000F (15)).
<
>
== Relevant iOS versions ==
This guide has been written for '''iOS''' versions '''11''' and '''12'''.
----
. CategoryTutorials
. CategoryStepByStep