1

I am making a web app, where one portion is actually made to be run on a local machine for cases where there is no available internet connection. I figured out how I can serve my app over a port and have it available to iPhones over bluetooth. This means the phone needs to connect to something like https://mymachine.local. If the phone has already trusted a root CA from previous browsing, would the phone's browser trust my cert brought through a trusted source?

Dave Stein
  • 113
  • 4
  • 2
    Unless you control the local dns server, you wouldn't be able to use a name covered by the certificate. Also, revocations can't be checked offline – Natanael Feb 22 '19 at 18:36

2 Answers2

1

Root CA certificates are not trusted by the device simply by "browsing".

All browsers have a defined pre-trusted list of Root CA certificates (which is a poor security decision in my opinion). This list changes (certificates are added & removed) whenever the browser vendor wants to.

Chrome uses the OS local keystore as it's pre-trusted list of Root CA certificates, Firefox manages it's own list that differs from the OS.

You should either use a well known CA to sign the app's server certificate, or manage to import the app's Root CA Certificate in the keystore of all devices.

Install Certificate - Using Chrome on Windows

Install Certificate - Using Firefox on Windows

The answer to "Do you need the internet to verify a TLS Cert?" is: It depends. Most devices (Macs, Windows, smartphones) have a keystore with pre-trusted Root CA certificates.

schroeder
  • 129,372
  • 55
  • 299
  • 340
Filipe dos Santos
  • 1,125
  • 6
  • 15
0

If you have already, manually trusted a self-signed Root CA, then it's already on the phone's root store, and any new intermediate or TLS cert derived from it will be accepted.

I'm assuming that the TLS cert you create will be used on the web server (be it local or on the internet), so:

  1. It will be rejected if any other device you use to test doesn't have the root CA in its store already.

  2. Can't be brought through any trusted source, the keys used to generate your own certs don't match other trusted sources.

In any case, why not generate one with, say, "Let's encrypt"?. That way you won't have to deal with the hassle of installing self-signed certs on every device that has to access your app.

Charlie M.
  • 1
  • 2