iOS doesn't trust server certificate signed by intermediate issuer

[Alan Buxey]

Hi

So long as ios has the ca and intermediate then it can trust  your server
cert.  If it doesn't have the intermediate but has the root CA,  then you
can send intermediate along with the server cert.

However,  for trust,  you need to ensure that ios knows to trust that
server.  Hence it asks you about things... fingerprint etc

To avoid this,  and best practice  is to configure the ios device with a
network profile. Usually done with eg MDM software


alan

On Thu, 3 Dec 2020, 21:02 Igor Sousa, <igorvolt at gmail.com> wrote:

> Hi,
> My institution generated our server certificate by GlobalSign, but we
> received a server certificate signed by an intermediate issuer, an
> intermediate issuer. We receveid the server, intermediate and root
> certificates files.
>
> I created a bundle with intermediate and root certificates, in this order
> an. I configured the /etc/freeradius/mods-enabled/eap as below:
> private_key_file = <path for server private key that I created>
> certificate_file = <new path for server.pem received from GlobalSign>
> ca_file = <path to ca.bundle obtained by cat intermediate.pem >> ca.bundle
> and cat root.pem >> ca.bundle>
>
> I run freeradius service with no issues as well as Android validates server
> certificate. When I tested the iOS connection the device showed me the
> server certificate as Not Trusted. I verified server certificate
> information and it is correct. If I click on the Trust button on the device
> screen, I can authenticate on Freeradius server with no issues.
>
> Is this behavior right? Doesn't iOS trust in server certificate signed by
> an intermediate chain?
>
> --
> Igor Sousa
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html