We're headed to GridSecCon 2024, October 22-25 in Minneapolis, MN! Learn more here
Schedule a Demo
Blog July 25, 2019 Apple iOS, Certificate Validation, Known Issues, macOS, PKI, Subject Alternative Names

Certificate Requirements for Apple iOS 13 & macOS 10.15

by Jake Grandlienard

When the next iOS and macOS major update arrives this fall to iPhones, iPads and Macs there will be changes that impact environments with TLS certificates not current with standards. Certificates with key lengths shorter than 2048, those signed with a SHA1 algorithm, and certificates without the DNS name in the subject alternative name (SAN) extension will cause errors. Websites in Safari will not load and application functionality will also be impacted.

These changes will be familiar to many that use the Chrome browser as the standard was enforced in Chrome version 58 in April of 2017.  The RFC now being enforced by Apple is RFC 2818 and was published back in 2000.

Other changes include limiting TLS certificate validity to no greater than 825 days and requiring certificates have the ExtendedKeyUsage (EKU) extension with the id-kp-serverAuth OID. This is the Server Authentication (OID 1.3.6.1.5.5.7.3.1) application policy in Active Directory Certificate Services (ADCS) environments.

The most anticipated impact we expect to see for corporate, internal PKI environments is those that are issuing certificates for TLS purposes that are valid longer than 2 years and those certificates without all required subject names specified in the Subject Alternative Name field.

The new requirements affect any certificate issued after July 1, 2019.The Apple announcement can be found here.

Related Resources

  • Blog
    October 7, 2024

    Preventing ServiceNow-style Root Certificate Outages with PKI Posture Management

  • Blog Image of a person sitting at a desk working on a laptop with PKI Spotlight on the screen.
    October 4, 2024

    Announcing the October 2024 PKI Spotlight® Release

    PKI, PKI Spotlight
  • Blog
    August 16, 2024

    To Revoke or Not to Revoke: Balancing Security with Performance and Operational Complexity

    CA, Certificate Authority, Certificate Revocation List, CRL, OCSP, PKI, VPN

Jake Grandlienard

Jake Grandlienard brings more than 19 years of industry experience as a senior level engineer. Jake is a subject matter expert in PKI, mobile device management software, smart card management software, and Hardware Security Module (HSM) integrations.

View All Posts by Jake Grandlienard

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *