105

I have a self-signed certificate at the endpoint of my API. I'm trying to test some things using the simulator but am getting "untrusted server certificate".

I have tried to use safari on the simulator to download the .crt file, but that doesn't seem to work.

Where does iPhone Simulator get its keychain from? How can I add a trusted certificate so my application will work?

I got it to work by creating a CA and then adding a CA certificate using the iPhone provisioning tool. Then I was able to have a certificate signed by that CA certificate on the API server and the NSConnection just worked. I was not able to get it to work using a self-signed certificate for some reason. I need to re-attempt this using the provisioning software.

My real question is how do I get this to work on the simulator? I would think that the simulator uses the keychain of the actual computer.

pkamb
  • 33,281
  • 23
  • 160
  • 191
jr.
  • 4,503
  • 7
  • 44
  • 62
  • 1
    I recently hit this with a host trusted by a CA certificate that was imported into the login keychain on the development Mac. (That is, my local Safari trusts the site, but not the simulator.) I was surprised it didn't work with the simulator. How does one use the iPhone provisioning tool to manipulate the trusted certificates on the simulator? – mpontillo May 10 '12 at 07:25

11 Answers11

123

Simply drag & drop your .cer Files into your running Simulator window. You'll see Safari flashing and then the import dialog for your Certificate (or Certificate Authority)...

Working for iOS 7 Simulator (and i Think did work for iOS 6 too).

pkamb
  • 33,281
  • 23
  • 160
  • 191
seafoxx
  • 1,731
  • 1
  • 13
  • 17
  • 3
    Dragging and dropping works fine for the iOS 7 simulator sure enough. I can verify that it does NOT work on the iOS 6.0/6.1 simulators. – John Bowers Mar 06 '14 at 07:52
  • 2
    is it me or since I've ugraded to Xcode 6, this drag & drop thing now only works on the iOS 8 version of simulator. Tried iPhone 5s iOS 7 and iOS 7.1 simulator, nothing happens when I drag the certificate onto the simulator window. And now I am stuck and cannot test my app in anything but iOS 8. – Fred Sep 19 '14 at 16:35
  • 3
    Figured out a workaround for iOS 7 & 7.1: put you .cer file on a reachable web server, (adding the application/x-x509-ca-cert mime type if it needs it) and use Safari on the simulator to download the certificate from the web server. It will then ask you to install it like if you've dragged and dropped it. – Fred Sep 19 '14 at 17:32
  • seems that this trick always only works with the latest iOS version. But maybe - if no "real" web server is available you can try the drag&drop trick by opening the safari app in whatever iOS version you are currently running and then just do the drag&drop into the safari window. At least worth a try. – seafoxx Sep 21 '14 at 22:01
  • Which files are .cer files? I have three files: `private.key`, `certificate_request.csr`, and `certificate.crt`. ... Never mind. I just used my `certificate.crt` file, and that seemed to work. :-) – ma11hew28 Oct 27 '15 at 18:12
  • The referenced ".cer"-file equals to your certificate.crt as this is the (probably signed) final certificate (or CA/Sub-CA) you want to trust. In my case it's a Base64 encoded (aka PEM) certificate. I did not try out other types (DER or PKCS12) but they might work also if iOS supports them (.p12 is supported for importing your own certificate + private key for signing purposes, e.g. S/MIME mail signing). – seafoxx Oct 28 '15 at 05:33
  • 3
    You are a god my friend – CommaToast Dec 02 '15 at 19:11
  • 1
    you're the man! I knew there had to be a fast way of doing this. – pqsk Jan 05 '16 at 21:24
  • 1
    Just a quick note: Works with .pem and other recognized types of certificate, too. What happens is that the Simulator opens a browser window to open the dragged file so it should work for all sorts of transfers from Mac to Simulator. – YetiCGN Sep 30 '16 at 10:31
  • To be extra clear, drag the .cer file from Finder and into the simulator. Dragging from Keychain Access will not work. – Alex Grande Jan 26 '17 at 18:42
  • This method DID not work for me correctly - works for Safari but did not fix any issue with Google Street View – Jeef Sep 08 '17 at 16:35
  • how to get .cer files? Where I can find .cer files? – IKKA Nov 20 '19 at 11:01
  • @IKKA please see my comment from 2015-10-28. ".cer" is a commonly used file extension for DER-encoded certificate files. but Base64-encoded files (typicalle .pem, sometimes .crt) wil work fine too. Assumption: the certificate you want to import into the simulator (that's why you are on this thread) is your .cer or .pem file. – seafoxx Nov 20 '19 at 11:27
  • which is the file export from my keychain access? Could you please mention exact file name? – IKKA Nov 20 '19 at 11:43
  • When doing this for a sub CA I get *One or more parameters passed to a function were not valid*. What does that mean? – testing Nov 23 '22 at 07:41
  • Just did this to a simulator running iOS 15 (dragged a root CA PEM onto it) and it showed only the + indicator on drag. On dropping, nothing visible happened (Safari icon did not react). But going into the similator's Settings/General/About/Certificate Trust Settings showed the cert present and activated. My app now gets "[connection] nw_socket_handle_socket_event [C1.1:3] Socket SO_ERROR [61: Connection refused]," but that may be something else. – Oscar Aug 31 '23 at 21:08
49

For those who find that the dragging and dropping of the certificate on the Simulator isn't working, there was a recent change that adds an extra step.

The Simulator must be explicitly told to trust the root CA. Do this by going to:

iOS Settings > General > About > Certificate Trust Settings > "Enable Full Trust for Root Certificate" for your particular certificate

See the full answer here:

pkamb
  • 33,281
  • 23
  • 160
  • 191
Gautham C.
  • 1,135
  • 11
  • 12
  • 17
    The "Enable Full Trust for Root Certificate" option is not there whatsoever on my simulator running ios 10.3 – Jesus Rodriguez Jul 07 '17 at 23:41
  • 1
    Did you ever resolve this issue -- the root certificate not being listed under `Certificate Trust Settings`? My profile is added and includes a certificate -- this was *just* working less than a month ago. Reset my simulator caches, now the certificate is added but no option to fully trust it. – chrisp Aug 30 '17 at 22:52
  • 3
    In my case, the option to "Enable Full Trust for Root Certificate" appears only for root certificates. It does not appear for intermediate or leaf certificates. – John Girata Sep 07 '17 at 00:30
  • 2
    I also found that the certificate must have the CA basic constraint option set to true: `basicConstraints = CA:TRUE` when generating the cert using openssl. Otherwise it won't show up to be trusted. – sandinmyjoints Mar 08 '18 at 19:50
  • I can't even get the file:///path_to_cert to load when dragging. the progress bar never completes in safari, and I'm never prompted to install the cert. Version 10.1 (SimulatorApp-877 CoreSimulator-581.2) – FlavorScape Dec 14 '18 at 00:15
  • Doesn't work for iOS simulator, iOS 12. Seems to be working for a device I use however. – Jonny Dec 27 '18 at 09:59
  • 4
    It appears that on 12.2 (probably earlier versions as well) the procedure is now to go to general > profiles, select the cert, and hit install in the upper right – MaxPRafferty Jun 27 '19 at 18:24
  • I followed the full post instructions, it worked on iOS 13 for me. – Milan Manwar Jan 01 '20 at 06:20
24

I had this same issue for months and today I FINALLY solved it with:

ADVTrustStore

You are going to want to use a project called ADVTrustStore from github. It does some fancy magic but it will correctly install certificates into your root trust-store on the simulator.

Steps to install a custom cert

# Clone the repo
git clone https://github.com/ADVTOOLS/ADVTrustStore.git

# Enter the repo directory
cd ADVTrustStore/

# Copy your .crt file 
cp somewhere/something.crt my.crt

# conver to a .pem file
openssl x509 -in my.crt -out my.pem -outform PEM

# Install the pem in the simulators
./iosCertTrustManager.py -a my.pem

Using this process I was able to get GoogleStreetView images to render correctly while behind a corporate firewall using SSL resigning with self-signed certificates

Background

I was using CharlesProxy and i noticed it was correctly installing certificates into the Simulator but they did not show up in the Settings - Profiles section. Then after some searching I discovered this tool. There are probably a few other tools out there but in my case the drag-and-drop never worked correctly for all cases. Safari would be fine but not my applications.

Jeef
  • 26,861
  • 21
  • 78
  • 156
  • 3
    TIP: restart simulator to get the new certificate installed. – Kiko Seijo Feb 01 '18 at 00:30
  • 1
    This did the trick for me with Xcode 10.1 and iPhone 5s 12.1 simulator. You just have to make sure you tell the script to install the certificate in the right simulator. If you are using this in conjunction with badssl.test (i.e. badssl running locally in docker), you will need to hack the .pem to remove everything except the actual certificate. – Andrew Ebling Feb 08 '19 at 09:44
  • this saved my life. there is almost no community support for installing self signed certs into ios. thank you! – lsimonetti Apr 10 '19 at 17:56
  • I confirm it works in Simulator 10.3 for iPhone X with iOS 12.4. – Sergei Basharov Sep 09 '19 at 13:22
14

For anyone use OS X Catalina, please check this : https://forums.developer.apple.com/thread/124056.

Catalina is currently blocking access to Desktop, Documents and Downloads folder. I moved certificate files to Shared folder and drag and drop the files to simulator from there.

KnightCavalry
  • 377
  • 1
  • 6
  • 17
9

Take a look at the shell script Charles uses to install their self signed cert into the simulator's keychain. http://www.charlesproxy.com/documentation/faqs/ssl-connections-from-within-iphone-applications/

See also:

It looks like installing your own certificate in the simulator may require installing it on a device via Safari and then copying the resulting row from the device's TrustStore.sqlite3 into the simulator's.

Community
  • 1
  • 1
Jonah
  • 17,918
  • 1
  • 43
  • 70
  • @nailer answer updated with some more references, as far as I know the format of those blobs in TrustStore.sqlite3 is opaque (and potentially subject to change) so the approach others have taken seems to be to install the cert on a device via Safari and copying the resulting TrustStore row into their simulator. – Jonah Sep 19 '12 at 18:48
6

Dragging and drop used to work but it didn't work on XCode 12 for me. What worked for me was opening Safari browser on Simulator and then typing the file URL for the .crt certificate file. Ex.

file:///Users/[folder_path]/[certificate.crt]

After that you have to goto Simulator Settings and install the certificate by navigating into General > Profiles section.

Tharindu Madushanka
  • 3,241
  • 7
  • 31
  • 33
4

For IOS14, after the dragging, you need go to:

General -> Profile -> select you profile -> install

and then:

General -> About -> Certificate Trust Settings -> "Enable Full Trust for Root Certificate" for your particular certificate

see also https://developer.apple.com/library/archive/qa/qa1948/_index.html

Fangxing
  • 5,716
  • 2
  • 49
  • 53
3

Using iPhone Backup Extractor, I copied my iPhone's TrustStore.sqlite3 into ~/Library/Application Support/iPhone Simulator/6.0/Library/Keychains, overwriting the existing file. I tried to only insert a single row with the following sqlite, but I couldn't get it working.

sqlite3 ~/backup/iOS\ Files/TrustStore.sqlite3
sqlite3>.mode insert
sqlite3>.output working.sql
sqlite3>select * from tsettings;
sqlite3>.quit

Now, working.sql has the entire contents of the tsettings table (in my case, 1 row).

sqlite3 ~/Library/Application\ Support/iPhone\ Simulator/6.0/Library/Keychains/TrustStore.sqlite3
sqlite3>INSERT INTO tsettings VALUES(X'...
sqlite3>.quit

Again, the above sqlite commands didn't work for me, but might be a good starting point for someone else. Copying the entire TrustStore.sqlite3 from the backup into the simulator worked just fine.

Heath Borders
  • 30,998
  • 16
  • 147
  • 256
1

Take a look at the iostrust Ruby gem: http://github.com/yageek/iostrust

yageek
  • 4,115
  • 3
  • 30
  • 48
1

When I started I couldn't get "Enable Full Trust for Root Certificate" to show up. I was using the certs I generated for nginx with openssl.

What worked was exporting the development cert from Keychain Access and downloading that with Safari in the simulator. Then the "Enable Full Trust for Root Certificate" showed up and I was able to get my application working.

Also, like people above have said dragging and dropping the cert on to the simulator doesn't work anymore. You can download the cert with Safari.

matt.mercieca
  • 853
  • 1
  • 6
  • 13
0

Complete instructions (tested on Xcode simulator Version 14.3.1, iOS 16.4):

  1. Open the Keychain app on your physical device and dive into certificates tab;

  2. Export your mkcert certificate;

  3. Open Safari browser on your simulated device and download the cert via file://{FullPathToCert} (e.g. file:///Users/username/cert.cer);

  4. Certificate file will be downloaded as a profile, but will not be installed. Go to iOS Settings -> General -> Device Management and select your configuration profile;

  5. Click on the Install button several times (Installed profile should be marked green as Verified);

  6. Go to the Settings -> General -> About -> Certificate Trust Settings and enable full trust for the certificate.

Additional notes:

  • For some reason, drag and drop the original certificate (as well as exported one) doesn't work for me, so I have to download file manually.
  • Profiles for the original certificates didn't work as well, so use the exported certificate.
  • There is no need in reloading your simulated device or restart the simulator, you will have full access immediately after enabling full trust for your uploaded certificate.
Scilef
  • 90
  • 9