iOS doesn't trust server certificate signed by intermediate issuer

Alan DeKok aland at
Thu Dec 3 22:22:52 CET 2020

On Dec 3, 2020, at 4:01 PM, Igor Sousa <igorvolt at> wrote:
> My institution generated our server certificate by GlobalSign, but we
> received a server certificate signed by an intermediate issuer, an
> intermediate issuer. We receveid the server, intermediate and root
> certificates files.

  That should work.  Mostly.  :(

> I created a bundle with intermediate and root certificates, in this order
> an. I configured the /etc/freeradius/mods-enabled/eap as below:
> private_key_file = <path for server private key that I created>
> certificate_file = <new path for server.pem received from GlobalSign>
> ca_file = <path to ca.bundle obtained by cat intermediate.pem >> ca.bundle
> and cat root.pem >> ca.bundle>
> I run freeradius service with no issues as well as Android validates server
> certificate. When I tested the iOS connection the device showed me the
> server certificate as Not Trusted. I verified server certificate
> information and it is correct. If I click on the Trust button on the device
> screen, I can authenticate on Freeradius server with no issues.
> Is this behavior right? Doesn't iOS trust in server certificate signed by
> an intermediate chain?

  iOS doesn't trust _any_ server certificate by default.

  Authentication isn't web surfing.  When you go to, you're interested in knowing if it is really "".  The certificate presented by google says so, and is signed by a global CA.

  However, you don't really care what data you get from Google.  So web browsers are configured to accept any certificate, signed by any known root CA.

  For EAP, you *do* care about the server certificate.  Anyone can get a cert from Globalsign, so anyone can present a signed server cert.

  So... do you want your name and password sent to some random person who paid $100 for a certificate?  No?

  For security, iOS doesn't trust *any* certificate.  All 802.1X clients should behave this way.  But Android doesn't, likely for ease of use.  Which means it's relatively easy to do nothing, and have your credentials go to a random server.

  In short: yes, this is what's supposed to happen.

  Alan DeKok.

More information about the Freeradius-Users mailing list