STEARsoft logo

STEARsoft

School
Teachers'
Electronic
Attendance
Register
software

Home page
Download
License comparison
New customer
Customer login
Forgot password
Tutorials
Support
Forum
About STEARsoft

      

iPad2 (And other pre iOS10 devices) manual root certificate update

The problem

Older iOS devices (that have iOS9 or earlier) stopped being able to Sync to a STEARsoft Cloud server on 30th September 2021.

For a detailed explanation scroll down past all the screen shots.

The simple fix

On the iPad in question, open safari and point your browser at https://letsencrypt.org/certs/isrgrootx1.pem

You'll get a blank screen while it thinks about this and after a few seconds give you the Install Profile screen. Tap Install:

You'll then be prompted for your iPad pin (the one you use to unlock the device), so enter your pin:

... and a further warning screen will appear. Tap Install:

A further popup will check that you wish to install. Tap Install again:

The final screen will appear with an 'unverified' message for a while, but after a few seconds should go green with a verified tick. Click Done.

You can close any open safari screen and STEARsoft should now be able to sync with the Cloud Server.

Explanation and how to do the above process with better understanding and trust

Your STEARsoft Cloud server gets its SSL (HTTPS) Certificate from a Certificate Authority (CA). The Certificate Authority STEARsoft uses is Let's encrypt. If you search for 'Certificate Authority Wikipedia' you'll quickly find the Wikipedia Certificate authority web page.

If you scroll down this page a bit you'll find a list of Providers. You'll see Let's Encrypt is listed within the top 10. You can click on it from here to go to the Let's Encrypt page in Wikipedia.

Scroll to the bottom of the Wikipedia page for Let's Encrypt to the External links and click on the link to the Official Website.

On the letsencrypt website, within 'from our Blog' on the date of Oct 1, 2021 there's an article giving 'Information related to DST CA Root X3 expiration'. Click the link for details about this. In the first sentence it explains that the CA X3 certificate has expired and they're now using the ISRG Root X1 certificate. This certificate is automatically installed in iOS10 and later, but needs to be manually installed for iOS9 and earlier. It's the expiring of the X3 certificate that has stopped STEARsoft being able to sync with a Cloud Server over a secure HTTPS connection. To fix this, we need to install the updated certificate, which needs to be done manually, because it's no longer being done for us as part of an iOS upgrade.

So to manually install the updated ISRG Root X1 certificate (which your iPad will then use to check that the STEARsoft HTTPS certificate is valid):

  • Click on the expired link in the first sentence.
  • On the 'Expiration' page, in the 2nd paragraph click on the ISRG Root X1 link.
  • On the 'Chain of Trust' page that opens, under 'Root Certificates' and 'Active', you'll find 'ISRG Root X1' and under that 'Self-signed: der,pem,txt'. We need the Self-signed, pem version, so click on it (the little word pem).
  • Opening this 'pem' certificate in Safari on an iOS device will automatically open the device Settings App and offer to install the certificate as detailed above.

The certificate is 'not trusted' because the iPad iOS doesn't know about it, because its iOS hasn't been able to be updated. By installing it you will be telling the iPad that it can trust this certificate, but to do this it keeps warning you that it doesn't know about it.

How can you trust that you're installing something genuine and safe? We're trusting Wikipedia to give a valid top 10 list of Certificate Authorities (which includes Let's Encrypt) and following links from there.

Also...

The expired certificate also started Safari putting up warnings when visiting all sorts of websites, including STEARsoft, such as this:

It's a bit worrying, but you can just click 'Continue' to proceed. The same is happening when connecting to the STEARsoft Cloud Server, but because it's directly through the iPad system, the security is tighter and doesn't given an option to just continue with an out-of-date or unverified HTTPS certificate.

Once you've installed the new ISRG X1 certificate these Safari warnings when visiting such sites will also disappear because it will be able to verify the identities correctly again with it.