Import CAcert root certificates on iOS (step-by-step)
This is a detailed description on how to import a certificate on iOS.
- Download the Cacert root certificates (Class1 and Class3) in PEM format as *.cer
- Download and install the iPhone configuration software on your PC or May
(Windows: http://support.apple.com/kb/DL1466) link isn't functional, try: http://iphone-configuration-utility.soft32.com/free-download/
(Macintosh: http://support.apple.com/kb/DL1465) link isn't functional, try: Mac App Store - Apple Configurator 2.3
- iOS device with sync cable is in reach
2. Delete Certificates
Please delete all existing CAcert certificates on your device (phone or pad).
3a. Start the Configuration Software
Start the iPhone configuration software on your desktop computer. If it won't start on Window, try deleting or renaming the directory
Now you'll see this user interface:
3b. Connect your Mobile Device
After connecting the iOS device you can find its entry in the list shown by the tab "Devices". The created profiles are always valid for the selected device only. Later, a .mobileconfig will be created for each device, which will be regarded as trustworthy by this device only. If you have to configure many devices, you may consider to use a full-scale Mobile Device Management system.
- For later re-use you should export the device profile immediately, but remember that such a backup will only remain valid for two years!
- Existing device profiles can be imported by using the "Add" button:
4. Creating a new Profile
Now it's time to create a configuration profile which will hold the certificates later. You can do this using the "New" button of the menu.
First you should add all data necessary to identify this profile on the mobile device later. One of the more important issues here is:
Security: You should change this to "With Authentication" and specify a password for the profile. Be sure so securely keep this password, since it will be necessary to remove this profile later. See also the section about troubleshooting.
5. Adding Certificates to the Profile
Now you change to the certificate area in the profile management. You'll add CAcert's Class 1 and Class 3 certificates, which you already have downloaded during step 1.
If you have additional CAcert client certificates, you can add them here also, so you may use them for example to encrypt and sign mails.
6. Export the Profile
Once you have completed the previous steps the configuration must be exported. It is important to specify that the export shall be done as encrypted and signed profile for your device:
Select the device (or multiple devices) from the presented list and click "Export".
If no list of devices is presented you messed up in step 3b.
You should now send the exported profile to your device by including it in a mail message as an attachment.
On the device you'll open the .mobileconfig attachment of the mail and follow the setup dialog.
Depending on the device configuration it may be necessary to enter the system PIN. After completing the setup procedure the certificates should be validated in the OS and be usable in applications.
As you can see, the package is created with a signature of iPCU for the UUID of the device, and therefor marked as trustworthy.
Now, all applications except Chrome will regard CAcert as trustworthy CA.
How do I delete existing profiles if I forgot the password?
It is not possible to delete a profile without knowledge of the password set in step 4. To recover it, a local backup by iTunes is necessary.
- If you only have encrypted ones, the tool „iPhone Backup Extractor“ by Reincubate may help.
Note by translator: I have translated the german text without testing or validating (or even fully understanding) the procedure. No english screenshots were available, so I had to guess some menu or button texts. Please fix this if you have an english device!