I’ve deployed some Radius servers (Windows Server 2012 R2 with NPS). They use PEAP-MSCHAP-V2 for authentication with a SAN Go Daddy Certificate. They are deployed in order to handle Wi-Fi connections.
The certificate works with all my devices Windows, Android but when I try to authenticate with an iPhone (iPhone 6s Plus, iOS 10), it says that the certificate of the server is “Not safe”/“Not verified” and I have to acknowledge it before attempting to connect. Then the authentication works but I would like my colleagues to be able to authenticate with their iPhone without acknowledging this certificate.
Firstly, I thought that the certificate was faulty but as I said it works with all my other devices. Moreover, I’ve checked the certificate itself and the common name, the DNS and all the relative data are correct.
I know that it is possible to import certificates in iPhone but GoDaddy! is a "Trusted Root Certification Authority" so i shouldn't have to do anything.
Is there any reason why why an iPhone wouldn't trust a GoDaddy! certificate?
P.S.: I’ve tested with an other iPhone (iPhone 6s, iOS 10) and it doesn’t work on that one either.
This means that iOS does not trust the publisher of your certificate, but as you've mentioned, there is a GoDaddy root certification in the iPhone.
What this probably means is that your RADIUS server is not sending its intermediate certificates. The Windows and Android devices probably already have this intermediate certificate trusted, but your iOS devices don't.
You can find someone else having the same issue here.
There isn't much you can do about this, apart from pushing the intermediate certificate into the trusted publishers store on the iOS devices.