iPhone TrustStore CA certificates

Question

Does any of you have a clue how to alter the contents of Security.framework/TrustStore.sqlite3. It seems as if the iPhone uses it to store trusted CA certificat

Answer 1

If you have a webserver configured to serve up digital certificates with the correct mime-type then Safari on the iPhone will add them to the trust store.

mime-type for a CA certificate is "application/x-x509-ca-cert" (example here)

When safari downloads this certificate it will as the user if they want to trust it.

Once trusted it appears in the Settings | General | Profiles section as a Configuration Profile.

alt text http://o-regan.org/cacert.png

The certificate is also inserted into the TrustStore.sqlite3 db. Verified that by doing a backup and extracting the DB with iphone backup extractor.

I'm not sure if that now means that it is trusted for other purposes, say as an SSL root.

Hope this helps, I might investigate more if time permits.

Answer 2

To install your own CA certificate in iOS 13 (Simulator or Phone/Pad)

1. Place your CA certificate on a website, make sure it has a .crt extension (like MyCA.crt).
2. Go to Safari in the Simulator
3. Download the certificate, choose Yes to Install the 'Profile' when prompted
4. Go to settings in the Simulator General > Profile > [Your Certificate] and click install
5. Go to settings in the Simulator General > Info > Trusted Certificates Find your certificate and toggle the switch to On.

Your CA is now trusted. In older versions of the simulator you could just drag your certificate on the simulator but that no longer seems to work.

Remember that Apple limits the validation duration of your certificates so don't make them valid for 10 years but choose a shorter time.

If you fail at the first step then this is probably because your webserver doesn't recognise the .crt extension. Common web servers like Apache should work fine.

• @Apple: I would expect a setting in the developer options in the simulator to just accept insecure certificates but honestly for the first time in many years the process to install your own CA is easier (AFAIK) on iOS then Android 10!

Answer 3

Since iOS 11 the TrustStore is located at: /System/Library/Security/Certificates.bundle instead of the usual location: /System/Library/Frameworks/Security.framework

Answer 4

I can imagine that someone else will encounter this problem, therefore I'd like to answer how it works (Apple won't like to see that):

1st) The iPhoneOS trusts every CA certificate stored in /System/Library/Frameworks/Security.framework/TrustStore.sqlite3

2nd) Some fields in that database contain data which I did not understand, while other's meanings like "SHA1" are quite obvious.

3rd) There are two different TrustStore.sqlite3s on your iPod/iPhone. The second one is located at /private/var/Keychains/TrustStore.sqlite3. The only difference between those is that Apple only trusts the contents of the one in Security.framework.

4th) The latter one is used to store user installed certificates (thanks, koregan), while the table layout is the same.

5th) Open your self-signed certificate using Mail or Safari and install it.

6th) Open /private/var/Keychains/TrustStore.sqlite3 using your favourite SQLite database manager and look for the row in tsettings whose "SHA1" BLOB contains the hash of your CA certificate.

7th) Extract the whole row and insert it into TrustStore.sqlite3's tsettings table.

8th) Make sure you copied the database back to the device, reboot it.

9th) By now it should totally trust those certificates which are signed by your custom CA.

Answer 5

For the second part of your question, I've used the SQLite extension for Firefox to create and edit sqlite db files.

addons.mozilla.org

Answer 6

You can use iPhone Configuration Utility to install certificates.