Work in progress.
The content has still to be rewrote in good English; it originates from tutorial written in French
A temporary document is available on Google Docs.

Import and activate CAcert root certificates on iOS

This guide describes how to import CAcert root certificates into a mobile device running iOS, so that CAcert will be recognized as a trusted CA by this device. Thus, the operating system and the installed applications will accept all the client and server certificates signed by CAcert by means of one or the other of its root certificates.



As you probably already know, CAcert makes two root certificates available to the public:

Root CA SHA256

Class 1 root certificate, self-signed using the SHA256 algorithm

SN 0x00000F (15)

Class 3 Root SHA256

Class 3 intermediate root certificate, signed by Root CA with the SHA256 algorithm

SN 0x00000E (14)


Since the class 3 certificate is signed by the class 1 certificate, it is sufficient to let iOS know your confidence in the class 1 certificate so that it also automatically trusts the class 3 certificate. Only the class 1 root certificate, which does not receive its validity from any other (because it is self-signed), requires this particular confirmation from the user.

It remains obviously necessary to manually import on the mobile device either of the two root certificates.


iOS - Import and activate

Apple's operating system has its own logic and makes it necessary to distinguish two stages:

The user performs these two steps through different screens, in the settings and settings of his device.


Importing certificates

To import CAcert Class 1 and 3 root certificates, simply go to the CAcert website using the device's Internet connection:


Root CA SHA256

Choose the class 1 root certificate in PEM format

Direct download

Class 3 Root SHA256

Choose the class 3 intermediate certificate in PEM format

Direct download




iOS_Step#1a-1_small.png

iOS_Step#1a-2_small.png

Click on
Install

Enter the PIN code
of the device


iOS_Step#1a-4_small.png

iOS_Step#1a-5_small.png

Click again on
Install

The Class 3 Root certificate is installed
but not verified yet



iOS_Step#1b-1_small.png

iOS_Step#1b-2_small.png

Click on
Install

Enter the PIN code
of the device


iOS_Step#1b-4_small.png

iOS_Step#1b-5_small.png

Click again on
Install

The Root CA certificate is installed
and actually verified



iOS_Step#1c-1_small.png

iOS_Step#1c-2_small.png

iOS_Step#1c-3_small.png

The Profiles configuration panel
list the installed certificates

The Class 3 Root certificate
appears verified

The Root CA certificate
appears verified


It will be understood that the same procedure is to be repeated individually for each certificate; it is equal to import one or the other first.


Enable the class 1 root certificate

The next step in making the certificates usable by the operating system and applications is to let iOS know your trust in the Root CA Class 1 certificate.

For that:


iOS_Step#2-1_small.png

iOS_Step#2-2_small.png

iOS_Step#2-3_small.png

Access the control panel
Certificate Trust Settings

Accept to trust the certificate
despite the strong warning

Procedure completed
with success!


From that moment on, the CAcert CA is recognized on your mobile device with the same degree of trust as any of the other CAs whose certificates are pre-installed.


Troubleshooting

Assuming that the Certificate Trust Settings control panel in the device settings does not display the name of the CA Root certificate, check that the certificate actually imported in the previous step is the Root CA SHA256 certificate and not the Root CA MD5 certificate, the later being now obsolete. Although both certificates are the same, in their recent versions, iOS and other operating systems do not allow the user to trust CAcert's root certificate when it is signed using the MD5 algorithm.

If Root CA MD5 (with serial number 0x000000 (0)) is mistakenly imported, simply delete it from the control panel accessible under Settings -> General -> Profiles and restart the procedure for downloading, installing and trusting the same certificate, taking care to choose this time Root CA SHA256 (with serial number 0x00000F (15)).


Relevant iOS versions

This guide has been written for iOS versions 11 and 12.