Trusting Custom Root Certificates on iOS 10.3

TL;DR: Navigate to Settings > General > About > Certificate Trust Testings and turn the switch on for your custom certificate.

Like many, Charles Proxy has become an indispensable part of my daily toolkit. Every person on my QA team uses it daily for their projects. Recently while testing on iOS 10.3, one of my team members couldn’t get his SSL traffic to proxy. Usually when somebody runs into this, it’s because the person hasn’t installed the Charles Proxy root certificate on the device they’re trying to proxy. Then why you try to proxy SSL traffic in Charles you’ll the following error: SSLHandshake: Received fatal alert: unknown_ca

Charles Proxy will even offer a helpful suggestion:

You may need to configure your browser or application to trust the Charles Root Certificate. See SSL Proxying in the Help menu.

iOS is refusing the SSL handshake because the certificate authority that has issued the SSL certificate being used is not in its Trust Store. Previously to resolve this, we would just need to go to http://ssl.charles in Safari on the device, and we could then install the root CA from Charles and tell the device we want to trust it. In this case, the QA person had already taken these steps. After some digging around, he found the problem. Settings > General > About > Certificate Trust Testings

The Charles Proxy Custom Root Certificate that he had installed showed up in the list, but its toggle was turned off. While this section existed prior to iOS 10.3, by default when you would install a custom certificate, iOS would implicitly trust it. No further action required. As of iOS 10.3, the default for new custom certificates is to not trust them. If you want to trust the custom certificate you’ve installed (why else would you have installed it?), you’ll need to navigate to the section mentioned above and manually turn the switch on to trust the certificate. Any certificates installed and trusted prior to iOS 10.3 seem to be grandfathered in, so you won’t run into this until you’re trying to use a new root certificate.

36 comments

  1. Scott Stephany

    This came along at just the right time. Problem solved, thanks so much for publishing this.

  2. Saad Rehman Shah

    The root certificate that I have installed is not even showing up there, in this list.

  3. matt

    Thank you! Saved me a lot of time. Hard to keep up with all the changes to iOS certificate settings.

  4. Gangi

    I could set the Charles Proxy environment for tvOS 10.1.x but could not succeed on 10.2 any help on this is greatly appreciated

  5. Qeyleb

    Thanks! What a strange location for the setting, I would never have thought to look in About. Intuitive? Ironic that it’s easier to find this post through Google than a page in Settings that I’m actively searching for.

  6. John

    Great, this solved our issue on iPhone, but we are still experiencing it with NSURLSessionDownload tasks called from Apple Watch watchkitextension. Any ideas?

  7. kimsungwhee

    Thank you. I have the same problem until you see this article. issue has fixed.

  8. Jaseowns

    Anyone figure out how to accept or install the Charles Proxy cert in IIS? Here is my setup: I have a Macbook in front of me, but I connect to a Windows VM to do my code. My Macbook host files to the site and things work fine. I want to test my site on my iPhone, so I’m using Charles Proxy to do that. I can get my phone to talk to the Macbook just fine, but any HTTPS traffic from my phone to Macbook that hits the VM throws: SSLHandshake: Received fatal alert: certificate_unknown This is expected behavior because the cert in IIS is invalid on my development machine - but in a browser, I normally just click Accept the invalid cert. How do I do that via Charles? FYI any valid HTTPS traffic is working fine.

  9. Julien

    Hi ! Thx for your post !

    But for me this fix does not work. I had the switch button off, but when I turn it on. Charles cannot get his SSL trafic to proxy.

    Can someone help me ? I maybe forget something.

    Thx for your reply.

  10. Paul

    Perfect! Exactly what I needed. I had been searching online for 5 hours trying to get this resolved while the dev team was waiting for me to get a response.

    Thank!

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>