iOS doesn't trust server certificate signed by intermediate issuer

Igor Sousa igorvolt at gmail.com
Thu Dec 3 23:14:44 CET 2020


DeKok and Buxey thanks for your help.

DeKoK, I was thinking this is a default behavior, but I didn't get it the
reason. Your explanation elucidates my issue. After I sent my question to
Freeradius list, I've tested it on Windows and its behavior has been like
iOS. Thanks again for your help.

--
Igor Sousa


Em qui., 3 de dez. de 2020 às 18:42, Alan Buxey <alan.buxey at gmail.com>
escreveu:

> Hi
>
> So long as ios has the ca and intermediate then it can trust  your server
> cert.  If it doesn't have the intermediate but has the root CA,  then you
> can send intermediate along with the server cert.
>
> However,  for trust,  you need to ensure that ios knows to trust that
> server.  Hence it asks you about things... fingerprint etc
>
> To avoid this,  and best practice  is to configure the ios device with a
> network profile. Usually done with eg MDM software
>
>
> alan
>
> On Thu, 3 Dec 2020, 21:02 Igor Sousa, <igorvolt at gmail.com> wrote:
>
> > Hi,
> > My institution generated our server certificate by GlobalSign, but we
> > received a server certificate signed by an intermediate issuer, an
> > intermediate issuer. We receveid the server, intermediate and root
> > certificates files.
> >
> > I created a bundle with intermediate and root certificates, in this order
> > an. I configured the /etc/freeradius/mods-enabled/eap as below:
> > private_key_file = <path for server private key that I created>
> > certificate_file = <new path for server.pem received from GlobalSign>
> > ca_file = <path to ca.bundle obtained by cat intermediate.pem >>
> ca.bundle
> > and cat root.pem >> ca.bundle>
> >
> > I run freeradius service with no issues as well as Android validates
> server
> > certificate. When I tested the iOS connection the device showed me the
> > server certificate as Not Trusted. I verified server certificate
> > information and it is correct. If I click on the Trust button on the
> device
> > screen, I can authenticate on Freeradius server with no issues.
> >
> > Is this behavior right? Doesn't iOS trust in server certificate signed by
> > an intermediate chain?
> >
> > --
> > Igor Sousa
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list