关于在iOS信任证书颁发机构的问题

以下脚本被用于生成证书颁发机构并签发SSL证书

#!/usr/bin/env bash

openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 820 -out rootCA.pem

echo "" > ./v3.ext

echo "authorityKeyIdentifier=keyid,issuer" >> ./v3.ext
echo "basicConstraints=CA:FALSE" >> ./v3.ext
echo "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" >> ./v3.ext
echo "subjectAltName = @alt_names" >> ./v3.ext

echo "[alt_names]" >> ./v3.ext
echo "DNS.1 = %%DOMAIN%%" >> ./v3.ext

if [ -z "$1" ]
then
  echo "Please supply a subdomain to create a certificate for";
  echo "e.g. www.mysite.com"
  exit;
fi

if [ ! -f rootCA.pem ]; then
  echo 'Please run "create_root_cert_and_key.sh" first, and try again!'
  exit;
fi
if [ ! -f v3.ext ]; then
  echo 'Please download the "v3.ext" file and try again!'
  exit;
fi

# Create a new private key if one doesnt exist, or use the xeisting one if it does
if [ -f device.key ]; then
  KEY_OPT="-key"
else
  KEY_OPT="-keyout"
fi

DOMAIN=$1
COMMON_NAME=${2:-*.$1}
SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
NUM_OF_DAYS=820
openssl req -new -newkey rsa:4096 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
cat v3.ext | sed s/%%DOMAIN%%/"$COMMON_NAME"/g > /tmp/__v3.ext
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext

# move output files to final filenames
mv device.csr "$DOMAIN.csr"
cp device.crt "$DOMAIN.crt"

# remove temp file
rm -f device.crt;

echo
echo "###########################################################################"
echo Done!
echo "###########################################################################"
echo "To use these files on your server, simply copy both $DOMAIN.crt and"
echo "device.key to your webserver, and use like so (if Apache, for example)"
echo
echo "    SSLCertificateFile    /path_to_your_files/$DOMAIN.crt"
echo "    SSLCertificateKeyFile /path_to_your_files/device.key"

在倒入了根证书以后, macOS上面可以直接认定证书安全并连接,但是iOS上面似乎不能默认信任。
想问一下有没有解?还是说iOS不能修改这类证书颁发机构的信任机制?

macOS - Chrome
截屏2020-06-21 上午4.30.42

iOS - Safari
IMG_B78C2C19C820-1

奇怪的还有这个证书发送到iOS以后无法在通用的信任设置里面看到他 只能安装描述文件

设置-通用-关于本机-证书信任设置(在最下面)- 打开启用完全信任

他就看不到这个证书

可以试试手动添加

我也安装了描述文件,但是在证书列表里看不见证书

SecTrustStoreSetTrustSettings
不用谢了

偶凑这是个好办法啊