I’m just setting up a new UCS domain. I know it includes a CA to generate certificates for the whole domain. But these certificates are marked as not trusted by macOS or iOS. I think because they don’t match Apple’s requirements https://support.apple.com/en-gb/HT210176
How to create a CA and certificates that match the requirements and so are marked as trusted. Deploying the UCS root certificate to the devices isn’t enough in Apple’s eyes.
Have a look at the letsencrypt app.
That will not help. I try to tell the UCS CA to issue trusted and valid certificate. Let’s encrypt is very nice for certificate of public accessed web services.
I found it‘s enough to reduce the max days to 825. All other parameters do match. It is marked as valid after deploying the root certificate to the clients.
Great that you found a solution yourself. If possible, please share how you were able to change that setting.
For those still wondering. What you will have to do:
-
Set UCR variable
ucr set ssl/default/days='824'
-
Proceed with this: Renewing the SSL certificates
Does a clean UCS 5.0-9 install bring all necessary settings to create valid certificates for Apple devices?
I changed ucr set ssl/default/days='824'
on a system patched from UCS 4.4-x to latest and had no look trying the above setting. My Apple devices still do not trust the renewed certificates. Thanks for any help on this topic!
Did you deploy the root certificate to your Macs and iPhones?
Hi, yes I did this. No luck. Thanks for your response
How did you do that? I think it depends. I did it with JAMF, another MDM should work too. I guess deploying by hand isn‘t trusty enough. Apple is very picky in this.
Maybe this is an issue.