# IOS - Root Certificate Authority

> While connecting to your Orchestrator instance using the Orchestrator app on a iOS mobile device, you may run into an SSL or ATS certification issue.

## Overview

While connecting to your Orchestrator instance using the Orchestrator app on a iOS mobile device, you may run into an SSL or ATS certification issue.

![docs image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-docs-image-221791-ad472b40-73463d4c.webp)

The procedure below helps you to resolve this issue by installing and trusting the root SSL certificate directly to your iOS mobile device.

## Finding the Root Certificate Authority

The first step in fixing the certificate issue is to ensure your iOS mobile device sees the Root Certificate Authority of your Orchestrator instance. This helps your iOS mobile device to correctly identify and import the certificate.

On the machine that hosts your Orchestrator installation:

1. Open Internet Information Services (IIS) Manager.
2. Navigate to **Sites** &gt; **UiPath Orchestrator**.
3. On the right side, in the **Actions** panel, click **Bindings...**. The **Site Bindings** window opens.
4. Select your Orchestrator instance binding URL and click **Edit...** . The **Edit Site Binding** window opens.
5. The **SSL certificate** field displays the name of your Orchestrator certificate. For more details about it, click **View...** .
6. Switch to the **Details** tab. Search for **Issuer** and **Subject** fields. There are two cases:
   * The **Issuer** and **Subject** values are the same: The SSL certificate selected at step 5 is your Root Certificate. Continue with **Exporting the Root Certificate Authority**, as described below.
   * The **Issuer** and **Subject** values are different: The SSL certificate selected at step 5 is not your Root Certificate. In this case, continue with the procedure below.

### To find the Root Certificate using the Certificate Manager:

1. Open the **Run** command window, type `certmgr.msc`, and press **OK**.
2. Navigate to **Trusted Root Certification Authorities** &gt; **Certificates**. Search for the certificate that matches the **Issuer** from the previous procedure (step 6).
3. Double click to open the **Certificate** window.
4. Switch to the **Details** tab. In the properties list, select **Basic Constraints**. There are two cases:
   * The bottom panel displays `Subject Type=CA`: Your Root Certificate Authority is configured correctly. Jump to the section **Exporting the Root Certificate Authority**.
   * The bottom panel does not display `Subject Type=CA`: You need to create a new certificate (see below) that includes the Root Certificate Authority, import it to the certificate stores (see below), and set it to your Orchestrator instance (see below).

### To create a Root Certificate Authority:

Use PowerShell to create a new certificate. It is important to include `-TextExtension @("2.5.29.19={text}cA=true)` in the script.

#### Sample script
```
$rootcert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ROOT-CA-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -KeyUsage CertSign, CRLSign, DigitalSignature -KeyExportPolicy Exportable -TextExtension @("2.5.29.19={text}cA=true")
$rootpwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText
$rootpath = ‘cert:\localMachine\my\’ + $rootcert.thumbprint
$rootCA = Export-PfxCertificate -cert $rootpath -FilePath c:\Users\uipath\Desktop\root-cert.pfx -Password $rootpwd

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -Signer $rootcert
$pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText
$path = ‘cert:\localMachine\my\’ + $cert.thumbprint
Export-PfxCertificate -cert $path -FilePath c:\Users\uipath\Desktop\signed-cert.pfx -Password $pwd
```

If you want to create a Root Certificate Authority that **signs a separate certificate**, use the script template below:

```
$rootcert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ROOT-CA-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -KeyUsage CertSign, CRLSign, DigitalSignature -KeyExportPolicy Exportable -TextExtension @("2.5.29.19={text}cA=true") $rootpwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText $rootpath = ‘cert:\localMachine\my\’ + $rootcert.thumbprint $rootCA = Export-PfxCertificate -cert $rootpath -FilePath c:\Users\uipath\Desktop\root-cert.pfx -Password $rootpwd $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -Signer $rootcert $pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText $path = ‘cert:\localMachine\my\’ + $cert.thumbprint Export-PfxCertificate -cert $path -FilePath c:\Users\uipath\Desktop\signed-cert.pfx -Password $pwd
```

### To import the certificate:

1. Double-click on the `.PFX` file created by the PowerShell script. The **Certificate Import Wizard** opens.
2. Select **Local Machine** and click **Next**.
3. On the **Certificate Store** page of the wizard, select **Place all certificates in the following store**, set the **Certificate store** to **Personal**, and click **Next** .
4. **Finish** the importing.
5. Repeat the steps above, but this time set the **Certificate store** from step 3 to **Trusted Root Certificate Authorities**.

After you import the new certificate into both certificate stores, set it to your Orchestrator instance.

### To set the new certificate to Orchestrator:

1. Open Internet Information Services (IIS) Manager.
2. Navigate to **Sites** &gt; **UiPath Orchestrator**.
3. On the right side, in the **Actions** panel, click **Bindings...**. The **Site Bindings** window opens.
4. For each site binding, click **Edit...** . The **Edit Site Binding** window opens.
5. From the **SSL certificate** field, select the new certificate and click **OK**.
   :::important
   Make sure to update the certificate for every site binding.
   :::
6. After you update all bindings, click **Restart** from the **Actions** panel.

## Exporting the Root Certificate Authority

With the certificate properly configured, you need to export it to a format that your iOS mobile device recognizes.

1. Open the **Run** command window, type `certmgr.msc`, and press **OK**.
2. Navigate to **Trusted Root Certification Authorities** &gt; **Certificates** and search for your Orchestrator certificate.
3. Right-click on it and select **All Tasks** &gt; **Export...** . The **Certificate Export Wizard** opens.
4. Opt for the **DER encoded binary X.509 (.CER)** export format.
5. **Finish** the exporting.

## Trusting the Certificate

You can send the `.CER` file to your iOS mobile device. Tapping on the received file starts the certificate download. You are prompted by the following message:

![docs image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-docs-image-221831-6d892b9c-b9704f08.webp)

### To trust the certificate on your iOS mobile device:

1. Go to **Settings** &gt; **General** &gt; **Profile** . The certificate is displayed under **DOWNLOADED PROFILE**.
2. Click on the certificate and **Install** it. This verifies the certificate.
3. Click **Done** and go back to the **General** page.
4. Go to **About** &gt; **Certificate Trust Settings**. The newly installed certificate is displayed under **ENABLE FULL TRUST FOR ROOT CERTIFICATES**. If you don't see the certificate, make sure the **Basic Constraint** certificate property has `Subject Type=CA`.
5. If the certificate toggle is OFF, set it to ON.