Installing the root CA on iOS

The root CA must be installed on the client device to ensure that the client trusts server certificates that are signed by your private CAs.

About this task

To establish trust for your server certificate, you must install the trust anchor certificate (root CA) on the client device.

Note: Only the root CA certificate (trust anchor) must be installed. You do not need to install any other certificates, such as intermediaries, on the device.

Procedure

Ensure that the root CA is in PEM file format and has a .crt file extension. Convert as needed.
Run the following command to view the certificate details.
```
openssl x509 -in certificate.crt -text -noout
```
Ensure that the certificate is of version X.509 v3. The certificate details must show Version 3.
Note: The following openssl flag generates X.509 v3 certificates:
```
-reqexts v3_req
```
Ensure that the certificate is a certificate authority. The certificate details must show X509v3 Basic Constraints: CA:TRUE
Note: The following openssl flag generates the CA extension:
```
-extensions v3_ca
```
To download the certificate file on the device, send it as an email attachment or host it on a secure website.
Note: Do not install the server certificate by accessing the protected resource directly from your browser. This action imports the certificate only into the browser space and not into the device system truststore.
After you have the certificate file on the device, click the file to allow the iOS system to install the certificate.
Check that the certificate was properly installed under Settings > General > Profiles > Configuration Profiles.
Ensure that the iOS device lists the CA as a trusted certificate authority.