After downloading the CA: Settings → General → VPN & Device Management → install the profile. Then Settings → General → About → Certificate Trust Settings → toggle it on.
Must open in Safari. If this page opened inside Telegram / Slack / Mail, long-press the button and pick “Open in Safari” — in-app browsers silently fail the OTA handoff.