Home

iPhone Renewal of Self-signed Certificate

I am generally pretty satisfied with Apple products, but Apple is a bit OCD about certificates, especially when they are self-signed. For small servers that only a few people use, there's no reason to spend good money on a real certificate just to encrypt a communication channel, when a self-signed certificate will do the trick. The only issue is that iOS will not trust the certificate until it gets installed, and iOS will only offer the option to install it if the certificate is loaded via Safari. So, that means that iOS mail won't send email via your self-signed-certificate-protected SMTP server until you install that certificate via Safari.

So, let's suppose you already have a sendmail.pem that includes both the certificate and the private key, but it has expired and you want to renew it. The first step is to copy that sendmail.pem to a working directory so that you don't accidentally wipe out the one that you have, and then run these openssl commands on the copy of sendmail.pem (you may need to make adjustments, especially relative to /etc/pki/tls/openssl.cnf):


# openssl rsa -inform pem -in sendmail.pem -out sendmail.key
# openssl x509 -x509toreq -in sendmail.pem -signkey sendmail.key -out sendmail.csr
# openssl x509 -req -in sendmail.csr -signkey sendmail.key -set_serial $SERIAL -days 3650 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out sendmail.crt
# (cat sendmail.key ; echo "" ; cat sendmail.crt) > newsendmail.pem

Now, newsendmail.pem will be good for 10 years (3650 days). You will need to copy it over top of the old certificate, and restart the services that are using it, like maybe sendmail or postfix. But, it still needs to be installed on iOS. On your iOS device, go to Settings / General / Profiles and delete the existing certificate if it already exists. iOS won't update if there is already a certificate installed. Then, copy newsendmail.pem to a web server directory, one that can be accessed via http or https. This can be an internal access only web server. Now, on the iOS device, go into Safari and surf to the newsendmail.pem file. If you placed that in the root web directory of your 192.168.1.1 server, that would be http://192.168.1.1/newsendmail.pem. Safari will now give you the option of installing the certificate. Follow the prompts and iOS will start trusting and loving that self-signed certificate!