Accessing Apple Root Certificate on iOS

I found the following code: which downloads the root certificate ("Apple Root CA") on macOS

and I am trying to get it to work with iOS as well.

Our code is written in C ++ and uses OpenSSL to validate the remote peer when using SSL sockets.

On other platforms, we download the root certificate and add it to the context using X509_STORE_add_cert .

Then we use SSL_get_peer_certificate and check the hostname. These are NOT self-signed certificates, so we want to use the device root certificate.

My question is how to get the root certificate on iOS devices?


I tried the following request but I keep getting -25300 (errSecItemNotFound).

NSDictionary* query=[NSDictionary dictionaryWithObjectsAndKeys:
                     (__bridge id)kSecClassCertificate,kSecClass,
SecItemCopyMatching((__bridge CFDictionaryRef)query,&ref);



source to share

3 answers

You will need something along these lines:

  • Find certificates using SecItemCopyMatching()

    with kSecMatchTrustedOnly

    installed on kCFBooleanTrue

    . Remember that there will be many certificates , not just one.
  • Then export them to DER format with SecCertificateCopyData()

  • Import them into OpenSSL
  • Profit

Alternatively, you can go the other way:

  • Converting a certificate to DER with OpenSSL
  • Build SecCertificateRef


  • Build SecPolicyRef


  • Build SecTrustRef


  • Rate with SecTrustEvaluate()

  • Profit

Or, of course, you can also manage your SSL connection with NSURLConnection

or with CFNetwork

(available directly in C ++) and the system will do everything for you automatically. Whenever possible, I recommend against using OpenSSL for iOS, because it creates a lot of complexity. But the above should help you get the bridge down if you need to.



There are several ways to distribute certificates. Using email - send the certificate as an attachment by clicking on it, the installation process will begin. Or using a browser - go to Safari to the page where your certificate is located, download and install it. You can also use configuration profiles to simplify deployment.

For more on this in iPad in Business , scroll down to the section Distributing and Installing Certificates


EDIT : looking for a certificate

To find a keychain item, you can use SecItemCopyMatching by providing kSecClassCertificate

and kSecAttrLabel

. Checkout Search for a certificate in the keychain in Certificate, Key and Trusted Services Tasks for iOS



If the keychain solution doesn't work, another solution is to download the "Apple Inc. Root Certificate" from Apple at and save it locally in your application. This approach is suggested in this check check article and validation check solutions such as RMStore at .



All Articles