Generate Root Certificates Compliant with Apple Requirements

To be honest, I recently digged into my Homelab and I repurposed my good old ODROID-XU4 with Ubuntu 20.04 and configured it as a Bitwarden server on some Docker containers to provide a secure password management service for my network devices.

Today, we're going to learn how to properly generate self-signed Trusted Root Certificates with OpenSSL meeting the requirements of Apple for iOS 13 or macOS 10.15 and newer versions, including the upcoming iOS 15 and so on.

Apparently, one of my client devices happens to be an Apple iPhone 7 running on iOS 14 which is actually requiring strict standards for Downloaded Certificate Profiles in order to be installed properly as a Trusted Root Certificate and that's when I had to figure it all out.

Create OpenSSL Configuration File

That's like the magic touch for this particular tutorial, please note that I am running Ubuntu 20.04 on my micro server but it really doesn't matter which Linux/Unix distribution you are running on your end.

You can SSH into the terminal of your server on any device, enter the commands below.

cd ~/
nano bitwarden.cnf

Change "bitwarden" to the name of your project, that's going to create a configuration file needed for certificate generation as a result please input the following.

[ req ]
default_bits           = 4096
default_md             = sha512
prompt                 = no
encrypt_key            = no
distinguished_name     = req_distinguished_name
x509_extensions        = usr_cert

[ req_distinguished_name ]
countryName            = "US"                        # Two Digit Country Code
stateOrProvinceName    = "California"                # State or Province Name
organizationName       = "Perpetual Technologies"    # Organization Name
commonName             = "Bitwarden"                 # Project or Domain Name (FQDN)
emailAddress           = "your-name@gmail.com"       # Any Email Address

[ usr_cert ]
basicConstraints       = critical, CA:true, pathlen:0
nsCertType             = sslCA
keyUsage               = digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth, clientAuth
nsComment              = "OpenSSL CA Certificate"
subjectAltName         = @alt_names

[alt_names]
DNS.1                  = localhost    # Local Hostname or Public Domain Name
IP.1                   = 127.0.0.1    # Local or Public IP Address

Here comes the important part, you have to adapt with the parameters commented above according to your preferences and requirements.

If you are going to use this certificate on a server that has an actual local hostname or public domain name please change localhost to match your case.

Otherwise, if your server is lacking a domain name and you are going to work on either a local or public IP address, in this case please change 127.0.0.1 to match the IP address of your server, it can work with both LAN or WAN networks. For example, in my case I set this to 192.168.1.100 the IP address of my own Bitwarden server.

Once finished, you can save the file by using the CTRL + O keystrokes on your keyboard.

Generate TLS/SSL CA Certificate with OpenSSL

Now, we can steadily generate self-signed certificates configured exactly as we wanted, you can proceed with the openssl command on terminal of your server.

sudo openssl req -x509 -keyout /etc/ssl/private/bitwarden.key -out /etc/ssl/certs/bitwarden.crt -config ~/bitwarden.cnf -days 365

Of course, you don't have to keep using "bitwarden" as a name of such files, you can use your own.

Okay, you should have a certificate now generated as /etc/ssl/certs/bitwarden.crt just examine it.

cat /etc/ssl/certs/bitwarden.crt

Either, create a file with the same content or find a way to copy this file into your desired client Apple device, you can then send it by email, Google Drive, AirDrop or whatever as you wish.

Install Trusted Root Certificate on Apple iOS

The process is going to consist of two stages, the downloaded file is treated as a profile that's used to install and configure the certificate on Apple iOS client devices.

Install Certificate Configuration Profile

Once you receive the certificate file at your end client device which is Apple iPhone 7 running iOS 14 in my case, just click it and there will be a configuration profile automatically downloaded into your device.

In order to install the profile, navigate to Settings > General > Profiles where under “DOWNLOADED PROFILE” click on the target and press the install button then confirm the dialog and be done with it.

Enable Full Trust for Root Certificates

Similarly, once you have successfully installed the downloaded certificate profile, navigate to Settings > General > Aboout > Certificate Trust Settings where under "ENABLE FULL TRUST FOR ROOT CERTIFICATES" click on the target and toggle the switch on.

Install Trusted Root Certificate on Apple macOS

When it comes to macOS a simple Double-click on the certificate file will do. Then, you can install it in your login keychain. Once clicked, just make sure to specify “Always Trust” from the scroll down menu when using the certificate.

Finally! We're done, if you have any questions or issues do not hesitate to discuss in the comment section right below.

Speak Your Mind

Connect

If you like our content, please consider buying us a coffee.
Thank you for your support!

Explore

Discussion