Self-signed Certificate

  • A self-created X.509 Certificate that isn’t signed by anyone else

  • Without a trusted Digital Signature on the X.509 Certificate, it is prone to Man-in-the-middle Attack. Because Client has no way to check if the X.509 Certificate is modified in the process of receiving the X.509 Certificate from the Server

Certificate Authority (CA)

  • The entity that is trusted by the Client. CA signs the X.509 Certificate of Server with its Private Key, the signature is known as Digital Signature
  • Server will always to send the digital signature with its X.509 Certificate to client, so client can valid the digital signature with the public key of the Certificate Authority(CA) it trusts. The validation will fail if the X.509 Certificate is manipulated by hackers

Trust Self-signed CA


  • Drag and drop the CA cert into Keychain Access under System Keychain
  • Set the trust setting of the cert to Always Trust


  • Upload the CA cert to Files
  • Open the CA cert to install the CA cert
  • Verify the CA cert under VPN & Device Management
  • Enable full trust for the CA cert under Certificate Trust Settings


  • Double click to install and trust the CA Cert