To be honest, I recently digged into my Homelab and I repurposed my good old ODROID-XU4 with
Ubuntu 20.04 and configured it as a Bitwarden server on some Docker containers to provide a secure password management service for my network devices.
Today, we're going to learn how to properly generate self-signed Trusted Root Certificates with OpenSSL meeting the requirements of Apple for iOS 13 or macOS 10.15 and newer versions, including the upcoming iOS 15 and so on.
Apparently, one of my client devices happens to be an Apple iPhone 7 running on iOS 14 which is actually requiring strict standards for Downloaded Certificate Profiles in order to be installed properly as a
Trusted Root Certificate and that's when I had to figure it all out.
Create OpenSSL Configuration File
That's like the magic touch for this particular tutorial, please note that I am running Ubuntu 20.04 on my micro server but it really doesn't matter which Linux/Unix distribution you are running on your end.
You can SSH into the terminal of your server on any device, enter the commands below.
cd ~/ nano bitwarden.cnf
Change "bitwarden" to the name of your project, that's going to create a configuration file needed for certificate generation as a result please input the following.
[ req ] default_bits = 4096 default_md = sha512 prompt = no encrypt_key = no distinguished_name = req_distinguished_name x509_extensions = usr_cert [ req_distinguished_name ] countryName = "US" # Two Digit Country Code stateOrProvinceName = "California" # State or Province Name organizationName = "Perpetual Technologies" # Organization Name commonName = "Bitwarden" # Project or Domain Name (FQDN) emailAddress = "email@example.com" # Any Email Address [ usr_cert ] basicConstraints = critical, CA:true, pathlen:0 nsCertType = sslCA keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth nsComment = "OpenSSL CA Certificate" subjectAltName = @alt_names [alt_names] DNS.1 = localhost # Local Hostname or Public Domain Name IP.1 = 127.0.0.1 # Local or Public IP Address
Here comes the important part, you have to adapt with the parameters commented above according to your preferences and requirements.
If you are going to use this certificate on a server that has an actual local hostname or public domain name please change
localhost to match your case.
Otherwise, if your server is lacking a domain name and you are going to work on either a local or public IP address, in this case please change
127.0.0.1 to match the IP address of your server, it can work with both LAN or WAN networks. For example, in my case I set this to
192.168.1.100 the IP address of my own Bitwarden server.
Once finished, you can save the file by using the
CTRL + O keystrokes on your keyboard.
Generate TLS/SSL CA Certificate with OpenSSL
Now, we can steadily generate self-signed certificates configured exactly as we wanted, you can proceed with the
openssl command on terminal of your server.
sudo openssl req -x509 -keyout /etc/ssl/private/bitwarden.key -out /etc/ssl/certs/bitwarden.crt -config ~/bitwarden.cnf -days 365
Of course, you don't have to keep using "bitwarden" as a name of such files, you can use your own.
Okay, you should have a certificate now generated as
/etc/ssl/certs/bitwarden.crt just examine it.
Either, create a file with the same content or find a way to copy this file into your desired client Apple device, you can then send it by email, Google Drive, AirDrop or whatever as you wish.
Install Trusted Root Certificate on Apple iOS
The process is going to consist of two stages, the downloaded file is treated as a profile that's used to install and configure the certificate on Apple iOS client devices.
Install Certificate Configuration Profile
Once you receive the certificate file at your end client device which is Apple iPhone 7 running iOS 14 in my case, just click it and there will be a configuration profile automatically downloaded into your device.
In order to install the profile, navigate to
Settings > General > Profiles where under “DOWNLOADED PROFILE” click on the target and press the
install button then confirm the dialog and be done with it.
Enable Full Trust for Root Certificates
Similarly, once you have successfully installed the downloaded certificate profile, navigate to
Settings > General > Aboout > Certificate Trust Settings where under "ENABLE FULL TRUST FOR ROOT CERTIFICATES" click on the target and toggle the switch on.
Install Trusted Root Certificate on Apple macOS
When it comes to macOS a simple
Double-click on the certificate file will do. Then, you can install it in your login keychain. Once clicked, just make sure to specify “Always Trust” from the scroll down menu when using the certificate.
Finally! We're done, if you have any questions or issues do not hesitate to discuss in the comment section right below.