Import CAcert root certificates on iOS (step-by-step)

This is a detailed description on how to import a certificate on iOS.

1. Preparation

2. Delete Certificates

Please delete all existing CAcert certificates on your device (phone or pad).

3. Configuration

3a. Start the Configuration Software

Start the iPhone configuration software on your desktop computer. If it won't start on Window, try deleting or renaming the directory

Now you'll see this user interface:


3b. Connect your Mobile Device

After connecting the iOS device you can find its entry in the list shown by the tab "Devices". The created profiles are always valid for the selected device only. Later, a .mobileconfig will be created for each device, which will be regarded as trustworthy by this device only. If you have to configure many devices, you may consider to use a full-scale Mobile Device Management system.



4. Creating a new Profile

Now it's time to create a configuration profile which will hold the certificates later. You can do this using the "New" button of the menu.

First you should add all data necessary to identify this profile on the mobile device later. One of the more important issues here is:

Security: You should change this to "With Authentication" and specify a password for the profile. Be sure so securely keep this password, since it will be necessary to remove this profile later. See also the section about troubleshooting.


5. Adding Certificates to the Profile

Now you change to the certificate area in the profile management. You'll add CAcert's Class 1 and Class 3 certificates, which you already have downloaded during step 1.

If you have additional CAcert client certificates, you can add them here also, so you may use them for example to encrypt and sign mails.


6. Export the Profile

Once you have completed the previous steps the configuration must be exported. It is important to specify that the export shall be done as encrypted and signed profile for your device:


Select the device (or multiple devices) from the presented list and click "Export".


If no list of devices is presented you messed up in step 3b.

You should now send the exported profile to your device by including it in a mail message as an attachment.


On the device you'll open the .mobileconfig attachment of the mail and follow the setup dialog.

Depending on the device configuration it may be necessary to enter the system PIN. After completing the setup procedure the certificates should be validated in the OS and be usable in applications.

As you can see, the package is created with a signature of iPCU for the UUID of the device, and therefor marked as trustworthy.

screenshot9-l.png screenshot9-r.png

Now, all applications except Chrome will regard CAcert as trustworthy CA.


How do I delete existing profiles if I forgot the password?

It is not possible to delete a profile without knowledge of the password set in step 4. To recover it, a local backup by iTunes is necessary.

You need the *.stub files from the direcory \Home Domain\Library\ConfigurationProfiles. These contain the password as clear text in the key "RemovalPassword"

Note by translator: I have translated the german text without testing or validating (or even fully understanding) the procedure. No english screenshots were available, so I had to guess some menu or button texts. Please fix this if you have an english device!

HowToDocuments/iOSCertificateImport (last edited 2016-10-27 14:26:23 by AlesKastner)