Hi David,

No luck yet, I ended up logging a TAC case not long after the post. Its still on going at the moment, I get the odd engineer webex in every now and again as it gets passed around to make sure I have implemented the cert correctly and it goes quiet.

I did hear Cisco were talking to Apple on it but no positive movement yet unfortunately.

We are looking to require an expansion of proxy services soon for a lot more users and I will be using this experience to decide how this looks for us moving forward.

Hi Ben

I also logged a TAC case and they came back with an article saying how its been since IOS 7. I havent tried the process yet as i dont think its the cause as its only started since iOS 11.

Problem

When accessing mail.google.com using iPhone/iPad running on IOS version 7 and above, the mobile device is unable to display the page and getting certificate error or not trusted, while iPhone/iPad running on IOS 6 and below, the access to mail.google.com is working as normal. 

This issue occurs when access to mail.google.com is being decrypt in the Decryption Policy of Cisco Web Security Appliance. 

Solution

On iPhone or iPad running on IOS version 7 and above is now inherit a list of preloaded HSTS(HTTP Strict Transport Security) and does not provide user with the option to ignore it, please see below link for more information regarding HSTS:

http://www.chromium.org/sts  

This behaviour has been seen to apply to multiple browsers in IOS 7, browsers that have been tested on IOS 7 are Chrome, Firefox, Safari and Mercury 

From the behaviour changes in IOS 7 and above, it appear to be clashing with the behaviour of Cisco Web Security Appliance has in regards handling HTTPS traffics, which Cisco Web Security Appliance decryption will removes all intermediate certificates and assumes the position of RootCA therefore the verification step will fails. 

From the below link, advise the source for google full list and issuer white list:

  http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json 

And browsers who use this list will verify gmail.com has one of the following issuers in the certificate chain: 

"VeriSignClass3",

"VeriSignClass3_G3",

"Google1024",

"Google2048",

"GoogleBackup1024",

"GoogleBackup2048",

"GoogleG2",

"EquifaxSecureCA",

"GeoTrustGlobal"

Workaround:

- Download the root sign certificate from the Cisco WSA and emailed as attachment then open the email and attachment from iPhone/iPad, therefore it will force the device to install the certificate as trusted certificate in the local store of the appliance and create a profile for it. 

Or 

Hosted the .pem file(WSA's root signed certificate) as downloaded from the WSA GUI on a web server and then visit the web server via Safari on the iPad/iPhone. It will then receive the option to install the certificate, similar as the above.

This workaround however will not work with Chrome as internet browser due to the root certificate store in iOS is not accessible by third-party apps, even certs that are pushed or installed on the device

Steps to install a HTTPS Certificate onto an iPhone or iPad devices.

An End User Digital Certificate that contains a public and private key (usually in the form of a .p12 or .pfx file) can be installed onto the iPhone or iPad.  With the release of iOS 5 and above.  Below are the steps in order to install a digital certificate onto an iPhone or iPad.

1.  Apple recommends that a *.p12 or *.pfx file is sent to idevice as an attachment in an email.

    Convert a .pem Certificate File to .p12 or .pfx steps:

    http://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.certificates.doc%2FGUID-17AD1631-E...

     openssl x509 -in cert.pem.cer -out cert.p12

    openssl x509 -in cert.pem.cer -out cert.pfx

2. Open the .p12 or .pfx certificate file using your iPhone/iPad by selecting the file.  This will start the process to install the certificate as a new profile on your iPhone/iPad.   In the example below the *.p12 file was included in an email.

From iPad and iPhone.

3.  At the Install Profilescreen (shown below) press the Installbutton.

       From iPad and iPhone (same display screen on both devices)

4.  You will be prompted with a warning message that says, "Installing this profile will change settings on your  "iPad/ iPhone." Press the Install Nowbutton.

5. If your device has a PIN or passcode set on "iPad/ iPhone."you need to enter this in.  Using the keyboard provided type in the passcode into the field.

6. The certificate will continue to install on "iPad/ iPhone." Once it has finished you will be presented with the following screen. You can exit this screen by pressing the Donebutton in the top right hand corner.

7.   In order to remove newly installed certificate,  Setting  > General >  Press  "Remove"