Restrict CA to issue certficates for one domain or to be able to sign just one server certificate

I have a server and I want my iPhone to connect to it securely. However, I cannot just install the self-signed server certificate on my iPhone. When I install the profile (that’s what they call the certificate), it says "Not verified".

Normally, you would go to CA Trust settings and enable full trust for the certificate. BUT I deliberately made the certificate with critical,CA:false constraint. That’s the reason it does not show in the CA Trust settings.

Why did I do it — I just need to install the single certificate and I don’t want to totally compromise my iPhone security, if my CA credentials got stolen.

Do this have a solution? iOS probably requires a CA to trust a certificate, but I don’t want a possibility to create certificates at all (beside the one), or at least for another domains.


One potential "solution" might be to create the CA, sign the server certificate and then delete the CA key, as it would not be needed and would live for a shorter time (lower chance to get stolen).

However, people except me wouldn’t be stoked to install it. (I don’t want to buy a certificate as its a home project and I don’t even have a domain name, just the IP address.)

The certificate complies with apple’s current requirements for server certificates. (https://support.apple.com/en-us/HT210176)