If your iPhone or iPad suddenly starts displaying notifications Insecure connection, SSL errors, or untrusted certificatesIt's normal to feel a little panicked: you can't access websites, your email is failing, and some apps won't even load. Don't worry, the vast majority of these problems can be fixed on your device or by properly configuring the server; and if you suspect an attack, check out our guide on identity theft on iOS.
In this complete guide you will see How certificates work in iOS and iPadOS, how to update them, and how to detect the most common security errors And what steps to take, whether the problem is with your device or the server (web, email, VPN, etc.). We'll go from the basics to the most advanced tricks, so you can browse and use your apps safely again.
What is a digital certificate and how does your iPhone or iPad use it?
A digital certificate, also called public key certificate or X.509 certificateIt is a file that serves to securely identify a server, a person or even an app, and that allows you to encrypt the communication between your device and that destination.
When you visit a website with HTTPS or connect to a secure service, Safari and the system itself perform a server security certificate verificationThey verify that it has been issued by a recognized certification authority (CA), that it is not expired or revoked, and that the server name matches the certificate.
During that verification, your iPhone or iPad uses the list of trusted root certificates that comes standard with the system (iOS, iPadOS, macOS, tvOS, visionOS, watchOS). If the certificate presented by the website or service is part of a chain that ends with one of these root certificates, the connection is considered secure and is encrypted with robust algorithms, such as AES up to 256 bits.
Certificates aren't just used for websites; they're also key for encrypt emails (S/MIME), authenticate on corporate Wi-Fi networks (802.1X, EAP-TLS), sign configuration profiles, set Secure VPNs or validate the sender's identity in certain apps and services.
When the system detects that the chain of trust cannot be validated (for example, because the CA is not trusted or the certificate is incorrectly issued), iOS displays warnings about invalid or untrusted certificates or SSL connection errorsblocking or quarantining the connection to protect your data.
Types of certificates and identities supported by iOS and iPadOS
In the Apple ecosystem, a very important concept is that of digital identityA certificate is the combination of a certificate and its associated private key. The certificate (with its public key) can be distributed without issue, but the private key must always remain protected.
iPhone, iPad, and Mac natively support several file formats for working with certificates and identities. In practical terms, you'll primarily encounter:
- Server or CA certificates: extensions .cer, .crt, .der, usually X.509 certificates with RSA keys or other supported algorithms.
- Personal or customer identities: .pfx or .p12 files that contain the certificate plus the private key encrypted with a password.
Identities in PKCS #12 format (.p12, .pfx) are used for Authenticate yourself as a user on networks, sign and encrypt S/MIME emails or access portals that require a personal certificate (for example, electronic headquarters of administrations or corporate banks).
Trusted root certificates on Apple devices
All Apple devices include a factory-installed collection of root certificates from different certification authoritiescarefully selected and audited. iOS, iPadOS, macOS, and other systems will only automatically trust certificates that are properly chained back to one of these roots.
When the root of a CA issues a certificate for your website or mail server It is not on the trusted listThe system considers that certificate untrusted. This often happens with internal company certificate authorities or self-signed certificates that do not come from a recognized public CA.
For a corporate environment to function well, it is usual to install the root certificate (and the necessary intermediate ones) on the deviceThis is typically done through a configuration profile distributed by a device management (MDM) service. This profile establishes a "trust anchor" so that other services that depend on that CA can function without warning.
In multi-tiered public key infrastructures, installing only the root certificate is sometimes not enough; it is often necessary also add the intermediate certificates so that the string is validated correctly in Safari, Mail, and the rest of the apps.
The most advisable thing at the administrative level is to group All company certificates in a single profilethat can be updated from the MDM without affecting other device profiles or services.
Automatic update of trusted certificates on iPhone and iPad
Apple has stipulated that if a serious security issue is detected with any of the pre-installed root certificates, the devices may Update trusted information wirelesslyThis update arrives via the Internet, without you having to do anything, and adjusts the list of trusted certificates and their policies.
In managed environments, this automatic update can be controlled with an MDM restriction called, roughly, “Allow automatic updating of trusted certificate settings”If disabled, the device will stop receiving those changes, both via Wi-Fi and Ethernet (in the case of some Macs).
For a home user or small business, the most sensible thing to do is Keep that automatic update enabled.because it is an extra layer of security that protects you from compromised certificates or CAs that cease to be reliable.
Manually install and activate root certificates on iPhone and iPad
When you install a Manually root your iPhone or iPad. Using a profile (for example, one provided by your company or a service provider), the system displays a very clear notice indicating that this certificate will be added to the device's trusted list.
After installing the profile, the root certificate is not automatically considered trusted for everything; you must go to Settings > General > Information > Certificate Trust Settings and manually activate full trust for that specific root certificate.
This extra step is introduced so that the user is fully aware that they are taking a great level of power to that certificatesince any website or service that links to it will be considered trustworthy by the system.
Certificate management in macOS: root, intermediate, and S/MIME
On a Mac, certificate management is somewhat more detailed, because you have the app Access to Keyringswhere you can view, add and remove root, intermediate and personal certificates, as well as configure their trust levels.
When you install a certificate using a configuration profile on macOS, the user must go to Settings> General> ProfilesSelect the downloaded profile, review the information, and click "Install." You may be prompted for your administrator username and password to complete the operation.
Intermediate certificates issued by a root CA are usually expire before the root certificates themselvesMany organizations use them to ensure browsers trust partner sites, keeping the main root certificate separate. If an intermediate certificate expires, you'll see SSL errors even if the website's certificate appears to be valid.
In Keyring Access, within the system keychainYou can locate expired intermediate certificates and replace or delete them according to your organization's policies.
With the certificates S / MIME On a Mac, you have to be careful: if you delete one of those certificates from your keychain, you'll no longer be able to read old emails that were encrypted with it, because You will no longer have the key needed to decipher them.
Certificate problems with iPhone and iPad Mail
One of the most common cases that users encounter is that, suddenly, The email account on the iPhone or iPad stops working and a warning appears such as "untrusted security certificate" or "server identity cannot be verified".
This is usually due to the annual renewal of the SSL certificate from the mail server (POP, IMAP, or SMTP). When the provider issues a new certificate, email applications (Outlook, Thunderbird, Apple Mail, etc.) usually display a prompt asking you to confirm that you trust the new certificate.
In many desktop apps it's as simple as accept the new certificate and move on. The problem is that, in recent versions of iOS and iPadOS, when a previous certificate already existed for that server, sometimes the system doesn't show the button to accept the renewed certificate, or it shows a message but doesn't allow you to fully trust it.
This causes that Thousands of iPhone and iPad users are encountering persistent errors in their email.especially when the mail server certificate does not exactly match the server name configured in the account.
Typical solutions to the problem of certificates in email (self-hosted)
If you manage your email on a cPanel-type hosting service (for example, providers that offer free certificates with Let's Encrypt), there are several ways to Avoid untrusted certificate warnings on iOS when you use addresses like mail.mydomain.com.
1. Issue a specific SSL certificate for mail.mydomain.com
The cleanest solution is issue an SSL certificate for the email subdomain (mail.mydomain.com) from the hosting control panel. Almost all plans with Let's Encrypt allow you to do this in just a few clicks.
In a typical panel like cPanel, you would enter the section of Security > Let's Encrypt™ SSL And, in the area for issuing new certificates, you would select your main domain and the relevant subdomains, in particular mail.mydomain.com (and usually also www.mydomain.com).
Sometimes you'll see several entries of this type domain.com, mail.domain.com, www.domain.comSimply select the ones you actually use. Some configurations also require selecting a validation type (for example, DNS-01), which means the DNS record must correctly point to the server where the certificate is issued.
Once the SSL certificate for the mail server has been issued, when setting up the account on the iPhone or iPad using mail.mydomain.com as incoming and outgoing serveriOS will see a perfectly valid certificate, with no name mismatches, and the annoying warnings will stop appearing (or, if the warning appears initially, you will have a clear "Trust" option).
2. Delete the account and create it again
If you cannot issue a new and correct certificate, another more aggressive option is Delete the email account from your iPhone or iPad and set it up again from scratch.This forces the system to forget any old certificates associated with that server.
Before doing so, you must ensure two key things: having located the account password and to find out if the account was configured as POP without message copying on the server. In that case, you could lose emails that only exist on the device.
If your provider offers IMAP with a server copy, this option is less risky, although it's still a more drastic step than simply using IMAP. issue a valid SSL certificate for the mail server.
3. Use the server's actual hostname instead of mail.mydomain.com
When the SSL certificate is issued for the internal server name (hostname) from the provider and not for your email subdomain, a practical solution is to change the incoming/outgoing server in the iOS account settings from mail.mydomain.com to the real hostname, for example host53.yourprovider.com.
Thus, the name of the server you use in the account It matches the one shown on the certificate.And the identity error stops occurring. The drawback is that if your provider ever migrates your accounts to a different server with a different hostname, you'll have to manually change the settings on all your devices and accounts.
4. Special case: web domain with one provider and email with another
There are users who have the website hosted by one provider and email hosted by anotherIn these scenarios, Let's Encrypt certificates issued by the email hosting provider may not always include the primary domain if the DNS points elsewhere.
If the primary domain does not point to the email hosting IP address, the attempt to Issue a certificate that covers domain.com and mail.domain.com It will fail, and you won't be able to automatically have a valid SSL certificate associated with the email subdomain.
One way to solve this is to expressly create a mail.domain.com subdomain in the email hosting cPanel and issue the Let's Encrypt certificate only for that subdomain, excluding the main domain. Since that record does point to the correct IP address, the validation will succeed.
Once this is done, your iPhone will be able to use mail.domain.com as a server with a fully valid certificate, preventing further security warnings when using the Mail app.
SSL 403 errors and personal certificates on iOS
Another very common scenario, especially in official websites, banks or intranetsThis is the error 403 (access prohibited) when you try to log in with a personal digital certificate on your iPhone or iPad.
The first thing is to check if you really have a personal certificate installed and valid On your device. From iOS 15 onwards, you can go to Settings > General > VPN & Device Management > Configuration Profiles and check if any profiles with your certificate appear.
By selecting the certificate and clicking on "More details" you will see information such as the validity date and issuing entityIf the certificate is expired, revoked, damaged, or comes from an incorrect copy (.cer instead of a .p12 with a private key), you will need to import a valid copy.
To verify that everything is working correctly, many entities, such as the FNMT, offer verification pages. By accessing their test tool with Safari and selecting your certificate, you should see a message like this: "Your certificate has just been verified. You possess a valid and unrevoked digital certificate."If this is not the case, something is wrong with the installation or the certificate itself.
Browsers compatible with certificates on iOS
There's an important detail in iOS that many people are unaware of: Not all browsers handle personal certificatesCurrently, the only supported browser for working with certificates installed on the system is Safari.
Browsers like Google Chrome or Mozilla Firefox iOS does not use the user certificate store in the same way, so even if you have your certificate correctly installed, they may not be able to use it to identify themselves to a website.
If you are trying to access a portal that requires a digital certificate, make sure you always do so. from Safariand not from other browsers, to avoid unnecessary errors.
Basic steps to force certificate selection and clear errors
When Safari gets "stuck" and The certificate selection window does not reappearIt can help to completely close the browser and clear temporary data.
To close Safari completely, use the application switcherOn devices without a physical button, swipe up from the bottom of the screen and hold for a second to see open apps; on models with a home button, double-click the button. Then, swipe Safari up to close it.
It's also a good idea clear history and website data From Settings > Safari > Clear History and Website Data. This removes cookies, cache, and other data that might be keeping your session or certificate selection incorrect.
If after doing this you still get the same 403 error or the same certificate warning, you probably need to reinstall the personal certificate: export it from your computer as a .p12 file, email it to yourself or use AirDrop, and reinstall it on your iPhone or iPad following the instructions from the issuing entity.
Common SSL errors on iPhone and iPad: usual causes
Beyond mail and personal certificates, there are a number of Generic SSL errors on iOS which can affect browsing, apps like Dropbox or Apple Music, or even third-party services integrated into the system.
These errors appear with messages such as "unable to establish a secure connection," "SSL connection error," or "unable to verify the server's identity." The most frequent causes are:
- Incorrect date and time settings on the device, which make the certificates appear expired or invalid.
- Expired or misconfigured certificates on the server you connect to (web, API, email, etc.).
- Invalid or self-signed certificates issued by CAs not recognized by iOS.
- Outdated iOS version or app, without support for the most modern TLS protocols.
- Corrupted network settings (DNS, proxy, firewall, or security apps that interfere).
In all these cases, there is a series of steps that can be followed to rule out problems on the device side before concluding that the error is exclusively on the server.
Methods to fix SSL connection errors on iOS and iPadOS
If you're experiencing repeated SSL errors on your iPhone or iPad, it's best to follow a logical order of checks. Here are some of the most useful methods, many of them quick, to try to fix the situation from your side:
1. Restart the device
Temporary system failures can cause unusual behavior in certificate validation or in the handling of encrypted connections. Restarting the iPhone or iPad is usually the simplest and most effective test to rule out these problems.
Go to Settings > General and scroll down to the option "To turn off"Turn off your device, wait a few seconds, and turn it back on. Then, try accessing the problematic website or app again.
2. Activate and deactivate Airplane mode
Airplane mode is a quick tool for force a restart of network connections (Wi-Fi, mobile data, Bluetooth, etc.). Minor network inconsistencies can eventually manifest as SSL errors, especially if there are occasional DNS problems.
Open Settings, turn on the Airplane modeWait a few seconds and then disable it. This resets the connections and sometimes is enough to get SSL requests working correctly again.
3. Reset network settings
If the problem persists, the next step is reset all network settingsThis deletes saved Wi-Fi networks, carrier settings, VPNs, and custom DNS configurations.
Go to Settings > General > Transfer or Reset iPhone/iPad > Reset and choose "Reset network settings"The device will restart and you'll have to re-enter your Wi-Fi password, but it's a good way to rule out a corrupted setting as the cause of the problem.
4. Check date and time
SSL certificates have a very strict validity periodIf your iPhone has the date set too far forward or too far back, it will think the certificate is expired or not yet valid.
Go to Settings > General > Date & Time and turn on the option "Set automatically"Make sure your device has an internet connection to sync properly. Then, close the problematic app and reopen it.
5. Update iOS and apps
An outdated operating system or app can not supporting the latest versions of TLS or have bugs that specifically affect certificate verification.
For iOS/iPadOS, go to Settings > General > Software update And if there's a new version, tap on «Download and install»For apps, go to the App Store > your profile and update any that have new versions available.
6. Close and reopen the app that is giving the error
Sometimes the problem lies exclusively with the app you're using (for example, Dropbox, Apple Music or a banking app), which may have the session or SSL connection handler in an unstable state.
Close it completely from the app switcher (just like we did with Safari) and reopen it. In many cases, the app rebuilds the session and Re-negotiate SSL connections correctly.
7. Clear Safari cookies and cache
If the error occurs while browsing, it is likely that some cache data or old cookie is interfering with the secure connection.
From Settings > Safari, tap on "Clear history and website data" and confirm. This will clear cookies, cache, and other data. Then, close Safari from the app switcher and try again.
8. Reset all settings
In extreme cases, you may opt for reset all device settings (without deleting your data or apps). This restores most of the system settings to their default values, including many network and security parameters.
Go to Settings > General > Transfer or Reset iPhone/iPad > Reset and choose "Reset all settings"The process will take a few minutes and you'll have to reconfigure some preferences, but it's an option before considering more drastic measures.
9. Change DNS settings
Sometimes, SSL errors are associated with DNS server problems (It doesn't resolve properly, returns incorrect IPs, or is too slow.) Switching to known public DNS servers helps rule this out.
In Settings > Wi-Fi, tap the "i" icon for your network and go to "Configure DNS". You can leave it as is. Automatic to use the router's DNS, or switch to Manual and add servers like 1.1.1.1 (Cloudflare), 8.8.8.8 and 8.8.4.4 (Google) or 208.67.222.222 and 208.67.220.220 (OpenDNS).
10. Activate location services if the website/app requires it
Some apps and websites use the device location as part of its security measuresIf you have location services completely disabled, certain authentication flows may fail.
From Settings > Privacy > Location Services, turn on the general switch and, if you wish, adjust app by app What location access do you allow? Then, try the problematic app or website again.
When the problem is on the server and not on your iPhone or iPad
If after all the previous checks you continue to see warnings like expired certificate, invalid certificate, or unknown CAIt is very likely that the source is the server you are trying to connect to.
In those cases, there's little you can do from your device beyond Do not enter sensitive data on that site or app and contact the technical lead. If you have contact with the system administrator or service support:
- Send screenshots of the error that appears on your iPhone or iPad.
- Indicates the specific domain or server to which you are trying to connect.
- Ask if they have certificate recently renewed or changed hosting/security provider.
Administrators can use tools like SSL Labs to analyze certificate status, chain of trust, and protocol versions, and thus Detect if an intermediate step is missing, if the certificate has expired, or if there is any incompatibility with iOS.
By understanding how certificates work in the Apple ecosystem, what types iOS and iPadOS support, and applying all these steps (from checking Safari's date and cache to issuing valid certificates for your mail server or changing DNS settings), it's much easier to locate the source of SSL errors and quickly restore secure connections on your iPhone or iPad without sacrificing the security they offer.
