Introduction

In the world of mobile app development, secure communication between the app and its server or backend is crucial. One way to achieve this security is by using a trusted Certificate Authority (CA). A CA is an entity that issues digital certificates to organizations or individuals, which are used to establish trust between two parties over a network. In iOS, Self-Signed CAs were once considered trusted, but with the release of iOS 13 and macOS 10.15, Apple has introduced new requirements for trusted certificates.

In this blog post, we’ll delve into the world of digital certificates, explore how iOS 13 changed the game, and provide a step-by-step guide on how to fix self-signed CA issues in iOS 13.

Understanding Digital Certificates

Before we dive into the specifics of iOS 13, let’s take a moment to understand the basics of digital certificates. A digital certificate is an electronic document that verifies the identity of a person or organization and their claim about a particular piece of information, such as their name, email address, or public key.

A digital certificate typically consists of three main components:

1. Subject: The entity (person or organization) to whom the certificate is issued.
2. Issuer: The Certificate Authority that issued the certificate.
3. Public Key: A unique identifier used to encrypt and decrypt data exchanged between two parties over a network.

When an app connects to a server, it presents its public key to the server. If the server has a digital certificate with a matching public key, it verifies the certificate’s signature using a cryptographic algorithm (like SHA-1 or RSA) embedded in the certificate. The verification process ensures that the data was not tampered with during transmission.

iOS 13 and Trusted Certificates

In iOS 12, self-signed certificates were trusted by default. However, with the release of iOS 13 and macOS 10.15, Apple introduced new requirements for trusted certificates. These changes aimed to improve security and prevent man-in-the-middle (MITM) attacks.

Key changes in iOS 13 include:

• RSA keys must be at least 2048 bits.
• SHA-1 is no longer supported as a signature algorithm; only SHA-256, SHA-384, and SHA-512 are allowed.
• The use of Intermediate CA certificates (intermediate CAs) is also restricted.

These changes ensure that self-signed certificates issued before iOS 13 may not be trusted by default in newer iOS versions.

Troubleshooting Self-Signed Certificate Issues

If you’re facing issues with your self-signed certificate after upgrading to iOS 13, try the following troubleshooting steps:

Step 1: Verify Your Certificate Chain

Verify that your certificate chain is complete and that it includes an intermediate CA. You can do this by checking the certs folder in Xcode or using a tool like OpenSSL.

# Check for missing intermediate CAs
openssl s_client -connect <server-url>:443 -showcerts

Look for any intermediate CAs at the top of the output.

Step 2: Update Your Certificate

If your certificate doesn’t meet the new requirements, update it to include a valid SHA-256 signature and an RSA key of at least 2048 bits. You can use tools like OpenSSL or OpenSSL-Config to generate and sign your certificate.

# Generate a new self-signed certificate with a valid SHA-256 signature
openssl req -newkey rsa:2048 -nodes -out <cert-file>.csr -subj "/C=US/ST=State/L=Locality/O=Organization/CN=www.example.com"
openssl x509 -req -days 365 -in <cert-file>.csr -signkey <private-key> -extfile <openssl-config>

Step 3: Rebuild Your App

After updating your certificate, rebuild your app to ensure that it uses the new certificate in its code.

Best Practices for Trusted Certificates

To avoid issues with trusted certificates in iOS 13 and future versions:

• Use a valid intermediate CA if you’re using an SSL/TLS library like OpenSSL.
• Ensure that your certificate meets Apple’s requirements, including a minimum RSA key size of 2048 bits and SHA-256 as the signature algorithm.
• Test your app thoroughly with different iOS versions to catch any potential issues.

Conclusion

In this article, we explored how iOS 13 changed the game for trusted certificates. We took you through the basics of digital certificates, how iOS 13 introduced new requirements, and provided step-by-step guidance on troubleshooting self-signed CA issues. By following these best practices and understanding Apple’s requirements, you can ensure that your app communicates securely with users using iOS 13 or newer versions.

Additional Resources

For more information about trusted certificates in iOS 13 and macOS 10.15:

• Requirements for trusted certificates in iOS 13 and macOS 10.15
• Certificate requirements for SSL/TLS connections on Apple devices

Frequently Asked Questions

Q: What is a digital certificate? A: A digital certificate is an electronic document that verifies the identity of a person or organization and their claim about a particular piece of information, such as their name, email address, or public key.

Q: How does a self-signed certificate work? A: A self-signed certificate is verified using a cryptographic algorithm (like SHA-1 or RSA) embedded in the certificate. The verification process ensures that the data was not tampered with during transmission.

Q: What are intermediate CAs? A: Intermediate CAs are certificates issued by Certificate Authorities to organizations or individuals, which serve as bridges between the root CA and the end-user’s device.

Q: How do I troubleshoot self-signed certificate issues in iOS 13? A: Follow the troubleshooting steps outlined in this article, including verifying your certificate chain, updating your certificate, and rebuilding your app.

Last modified on 2024-01-02