Skip to content

Installing Personal and Functional Certificates on iPhone/iPad

Prerequisites

The certificate to be distributed has to be in PKCS12 format (file extension .p12 or .pfx) and must be uploaded to the CA portal under Distribute Certificate Files.

All steps described below must be performed using Apple Safari. Alternative browsers such as Firefox, Chrome, Brave, etc., usually do not work.

Download and install the certificate

Open https://portal.ca.kit.edu/distribute on your iPhone; here is a QR code for that.

If necessary, log in to the CA portal.

Locate the certificate you want to install and click the download button ():

Allow the configuration profile to be downloaded and close the dialog:

You can now close Safari.

Open the Settings app, a new item labeled Profile Downloaded should appear on the home screen:

Open Profile Downloaded:

Why is the profile marked as Not Signed?

After downloading the PKCS12 file, Safari packages it into an empty and unsigned configuration profile. This can therefore be safely ignored in this context. The certificate’s trust status is not affected by this.

Keep tapping Install or Next until the profile is installed. When prompted, enter your device PIN and the password of the PKCS12 file:

Wrong password?

It’s possible that the password you entered isn’t being accepted, even though you’re 100% sure that you entered it correctly:

This happens (similar to some macOS versions) when iOS cannot handle the cryptographic methods used by the PKCS12 file. Find instructions here on how to convert such files with a little technical know-how.

You can view and manage your configuration profiles in the Settings app under GeneralVPN & Device Management:

Setting Up Apple Mail

In the Settings app, go to AppsMail and open Mail Accounts:

Open the entry for your KIT email account:

Click here to open Account Settings, then Advanced:

At the very bottom are the S/MIME settings:

Set Sign to and Encrypt by default to . Select the correct certificate:

Emails sent from Apple Mail should be signed automatically by now:

Multiple installed certificates

If you have multiple certificates installed, it can be difficult to select the correct one:

Tap the information icon to view the validity status:

If you’re still uncertain, take a look at More Details. Here you will find all certificate attributes, such as the serial number, validity period, common name, and email addresses. Make sure the correct certificate has been selected ( to the left of the entry).

Troubleshooting

Unfortunately, there are virtually no ways to effectively identify issues on iOS. The only indication that something is not set up correctly is that emails are silently not signed. A common problem is that the localpart of the email address in the account settings does not match the one in the certificate. Example: beate.beispiel@kit.edu is not the same as Beate.Beispiel@kit.edu. In this case, we recommend to change the email address in the account settings of Apple Mail to one of the email addresses in your certificate.