ElectricBrain | IOS 13 Certificates (Solved)

IOS 13.1.3 Cannot Verify Server Identity (Solved)

With the 13.1.2 IOS update (which automatically installed overnight) all email stopped working on my phone.

The cause was:
Requirements for trusted certificates in iOS 13 and macOS 10.15

Easy, I'll just generate a new self signed certificate using trusty old openssl. Well.... days later and many certificate iterations later, it started working. If wasn't for a good friend who sent me a photo of his screen pointing out a Google Gmail error message it would've been even more days lost.

So to cut a long story short, here's my recipe for cooking up a good certificate for your email server. Exim is used here along with Cyrus imap.

Here's a message found in the exim logs that correspond to the inbound Gmail failure:
google gmail error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

After a lot of Binging, it turned out that this was "booringssl error 47" otherwise known as an invalid use of the certificate because the digitalSignature bit in the OID wasn't set. Along the way another site pointed out that back when IOS 10 was released the use of basicConstraints = CA:true became mandatory to get the newly loaded "profile" to appear in the certs trust screen.

Here is a shell script that does the magic. The non v3 fields have no effect as far as I can tell (i.e. they don't work as per all those pages you've been reading - which is why you're here right?)

#!/bin/bash

gcOutCert="certificate"

if [ -f "${gcOutCert}.pem" ]; then
    echo "{gcOutCert}.pem exist"
    exit 1
fi

# Create the config file
#
cat << EOFZZZ > config.txt

[req]
prompt             = no
req_extensions     = req_ext
x509_extensions    = v3_req
distinguished_name = dn

[dn]
C=AU
ST=Victoria
L=Bentleigh East
O=Electric Brain
OU=Security
emailAddress=admin@electricbrain.com.au
CN=mail.electricbrain.com.au

[req_ext]
subjectAltName=@alt_names

[v3_req]
basicConstraints = CA:true
keyUsage         =
 keyEncipherment,
 dataEncipherment,
 digitalSignature
extendedKeyUsage = critical,serverAuth,clientAuth
subjectAltName   = @alt_names

[alt_names]
DNS.1=mail.electricbrain.com.au
EOFZZZ

openssl req \
  -newkey rsa:4096 \
  -nodes \
  -sha256 \
  -x509 \
  -days   824 \
  -out    "${gcOutCert}.pem" \
  -keyout "${gcOutCert}.key.pem" \
  -config <(cat config.txt)

if [ -f "${gcOutCert}.pem" ]
then
  openssl x509 -text -noout -in "${gcOutCert}.pem"
fi