Categories
iOS Networking Tools

Trusting Custom Root Certificates on iOS 10.3

TL;DR: Navigate to Settings > General > About > Certificate Trust Settings and turn the switch on for your custom certificate.

Like many, Charles Proxy has become an indispensable part of my daily toolkit. Every person on my QA team uses it daily for their projects. Recently while testing on iOS 10.3, one of my team members couldn’t get his SSL traffic to proxy. Usually when somebody runs into this, it’s because the person hasn’t installed the Charles Proxy root certificate on the device they’re trying to proxy. Then why you try to proxy SSL traffic in Charles you’ll the following error: SSLHandshake: Received fatal alert: unknown_ca

Charles Proxy will even offer a helpful suggestion:

You may need to configure your browser or application to trust the Charles Root Certificate. See SSL Proxying in the Help menu.

iOS is refusing the SSL handshake because the certificate authority that has issued the SSL certificate being used is not in its Trust Store. Previously to resolve this, we would just need to go to http://ssl.charles in Safari on the device, and we could then install the root CA from Charles and tell the device we want to trust it. In this case, the QA person had already taken these steps. After some digging around, he found the problem. Settings > General > About > Certificate Trust Testings

The Charles Proxy Custom Root Certificate that he had installed showed up in the list, but its toggle was turned off. While this section existed prior to iOS 10.3, by default when you would install a custom certificate, iOS would implicitly trust it. No further action required. As of iOS 10.3, the default for new custom certificates is to not trust them. If you want to trust the custom certificate you’ve installed (why else would you have installed it?), you’ll need to navigate to the section mentioned above and manually turn the switch on to trust the certificate. Any certificates installed and trusted prior to iOS 10.3 seem to be grandfathered in, so you won’t run into this until you’re trying to use a new root certificate.

By Nick Arnott

I like breaking stuff. I used to test iOS and Android applications. Now I test some other stuff. Sometimes I rant on Twitter.

47 replies on “Trusting Custom Root Certificates on iOS 10.3”

This came along at just the right time. Problem solved, thanks so much for publishing this.

The root certificate that I have installed is not even showing up there, in this list.

Thank you! Saved me a lot of time. Hard to keep up with all the changes to iOS certificate settings.

I could set the Charles Proxy environment for tvOS 10.1.x but could not succeed on 10.2 any help on this is greatly appreciated

Thanks! What a strange location for the setting, I would never have thought to look in About. Intuitive? Ironic that it’s easier to find this post through Google than a page in Settings that I’m actively searching for.

Great, this solved our issue on iPhone, but we are still experiencing it with NSURLSessionDownload tasks called from Apple Watch watchkitextension. Any ideas?

Anyone figure out how to accept or install the Charles Proxy cert in IIS? Here is my setup: I have a Macbook in front of me, but I connect to a Windows VM to do my code. My Macbook host files to the site and things work fine. I want to test my site on my iPhone, so I’m using Charles Proxy to do that. I can get my phone to talk to the Macbook just fine, but any HTTPS traffic from my phone to Macbook that hits the VM throws: SSLHandshake: Received fatal alert: certificate_unknown This is expected behavior because the cert in IIS is invalid on my development machine - but in a browser, I normally just click Accept the invalid cert. How do I do that via Charles? FYI any valid HTTPS traffic is working fine.

Hi ! Thx for your post !

But for me this fix does not work. I had the switch button off, but when I turn it on. Charles cannot get his SSL trafic to proxy.

Can someone help me ? I maybe forget something.

Thx for your reply.

Perfect! Exactly what I needed. I had been searching online for 5 hours trying to get this resolved while the dev team was waiting for me to get a response.

Thank!

After digging around for more than one hour, I finally found the reason why I can’t debug my iPhone with the new Laptop (New Certificate)

Thanks a lot!!!!!!!

I am unable to download Charlesproxy root certificate on my iPhone v11.2. It keeps saying my browser or OS is not configured anytime I try to browse to charlesproxy.com/getssl or chls.pro/ssl . Can someone help out with this ? Thanks

A very weird situation here. I had no problems whatsoever with the SSL, but after I reinstalled Charles whenever I try to enable SSL, I cannot connect to the website. I have an iPad 9.3.5. It must have a solution, because it did work fine.

Leave a Reply

Your email address will not be published. Required fields are marked *