TL;DR: Navigate to Settings > General > About > Certificate Trust Settings and turn the switch on for your custom certificate.
Like many, Charles Proxy has become an indispensable part of my daily toolkit. Every person on my QA team uses it daily for their projects. Recently while testing on iOS 10.3, one of my team members couldn’t get his SSL traffic to proxy. Usually when somebody runs into this, it’s because the person hasn’t installed the Charles Proxy root certificate on the device they’re trying to proxy. Then why you try to proxy SSL traffic in Charles you’ll the following error: SSLHandshake: Received fatal alert: unknown_ca
Charles Proxy will even offer a helpful suggestion:
You may need to configure your browser or application to trust the Charles Root Certificate. See SSL Proxying in the Help menu.
iOS is refusing the SSL handshake because the certificate authority that has issued the SSL certificate being used is not in its Trust Store. Previously to resolve this, we would just need to go to http://ssl.charles in Safari on the device, and we could then install the root CA from Charles and tell the device we want to trust it. In this case, the QA person had already taken these steps. After some digging around, he found the problem.
Settings > General > About > Certificate Trust Testings
The Charles Proxy Custom Root Certificate that he had installed showed up in the list, but its toggle was turned off. While this section existed prior to iOS 10.3, by default when you would install a custom certificate, iOS would implicitly trust it. No further action required. As of iOS 10.3, the default for new custom certificates is to not trust them. If you want to trust the custom certificate you’ve installed (why else would you have installed it?), you’ll need to navigate to the section mentioned above and manually turn the switch on to trust the certificate. Any certificates installed and trusted prior to iOS 10.3 seem to be grandfathered in, so you won’t run into this until you’re trying to use a new root certificate.
47 replies on “Trusting Custom Root Certificates on iOS 10.3”
Cheers, thanx for taking the time to post this tip.
This came along at just the right time. Problem solved, thanks so much for publishing this.
Thank you, this is very helpful!
Superb Nick. You saved me hours of my debug time.
Thank you guys, this is very helpful!
The root certificate that I have installed is not even showing up there, in this list.
Thank you! Saved me a lot of time. Hard to keep up with all the changes to iOS certificate settings.
I could set the Charles Proxy environment for tvOS 10.1.x but could not succeed on 10.2 any help on this is greatly appreciated
Thanks! What a strange location for the setting, I would never have thought to look in About. Intuitive? Ironic that it’s easier to find this post through Google than a page in Settings that I’m actively searching for.
Great, this solved our issue on iPhone, but we are still experiencing it with NSURLSessionDownload tasks called from Apple Watch watchkitextension. Any ideas?
Thank you, very helpful!
Excellent post. Thank you for sharing – Keep it up!
yeap, that’s solved bugging issue when updated iOS from 9 to 10
Thank you, it’s work
Perfect. Thank you for sharing.
Thank you. I have the same problem until you see this article. issue has fixed.
thanks for documenting this!
thank you so much. this is a life saver for me.
Anyone figure out how to accept or install the Charles Proxy cert in IIS? Here is my setup: I have a Macbook in front of me, but I connect to a Windows VM to do my code. My Macbook host files to the site and things work fine. I want to test my site on my iPhone, so I’m using Charles Proxy to do that. I can get my phone to talk to the Macbook just fine, but any HTTPS traffic from my phone to Macbook that hits the VM throws:
SSLHandshake: Received fatal alert: certificate_unknownThis is expected behavior because the cert in IIS is invalid on my development machine - but in a browser, I normally just click Accept the invalid cert. How do I do that via Charles? FYI any valid HTTPS traffic is working fine.Thank you for this, I will pulling my hair out
Thanks! This saved me a ton!
Thank you very much, this helps for MitmProxy Certificates as well!
OMG, this saves my day!
Hi ! Thx for your post !
But for me this fix does not work. I had the switch button off, but when I turn it on. Charles cannot get his SSL trafic to proxy.
Can someone help me ? I maybe forget something.
Thx for your reply.
Perfect! Exactly what I needed. I had been searching online for 5 hours trying to get this resolved while the dev team was waiting for me to get a response.
Thank!
Thank you very much for taking your time to share this. Extremely helpful!!!
Thanks for your help bro
Cheers mate. Your insight and knowledge is much appreciated.
Thanks Guys. Finally i find the solution!!!
Big Up :)
ttttttthx
Don’t usually comment on these, but thank you
A big thank you for posting this !
Thank you!
Thank you for posting it. It was very helpful:)
Pure gold. A million thanks.
Thanks for this article! It’s now in our internal troubleshooting section :)
Thank you very much for this information!
After digging around for more than one hour, I finally found the reason why I can’t debug my iPhone with the new Laptop (New Certificate)
Thanks a lot!!!!!!!
Life saving. Was almost ready to break both devices
I am unable to download Charlesproxy root certificate on my iPhone v11.2. It keeps saying my browser or OS is not configured anytime I try to browse to charlesproxy.com/getssl or chls.pro/ssl . Can someone help out with this ? Thanks
It failed on ios 11.3
A very weird situation here. I had no problems whatsoever with the SSL, but after I reinstalled Charles whenever I try to enable SSL, I cannot connect to the website. I have an iPad 9.3.5. It must have a solution, because it did work fine.
My iOS device won’t install the certificate. Any ideas?
When I type in http://www.charlesproxy.com/getssl in my iphone it does not initiate a download of the certificate. It looks like everything is set up but I can’t get a certificate.
Thank you man, I’ve been struggling for a few days about Charles not working on SSL sites. You managed to explain it :)
How to solve the same problem with Android? I have Samsung S10 + Adnroid 10
You saved my day, dude!!!!! Thanks a LOT!!!!!!!!