Certificate Requirements for Apple iOS 13 & macOS 10.15

When the next iOS and macOS major update arrives this fall to iPhones, iPads and Macs there will be changes that impact environments with TLS certificates not current with standards. Certificates with key lengths shorter than 2048, those signed with a SHA1 algorithm, and certificates without the DNS name in the subject alternative name (SAN) extension will cause errors. Websites in Safari will not load and application functionality will also be impacted.

These changes will be familiar to many that use the Chrome browser as the standard was enforced in Chrome version 58 in April of 2017.  The RFC now being enforced by Apple is RFC 2818 and was published back in 2000.

Other changes include limiting TLS certificate validity to no greater than 825 days and requiring certificates have the ExtendedKeyUsage (EKU) extension with the id-kp-serverAuth OID. This is the Server Authentication (OID application policy in Active Directory Certificate Services (ADCS) environments.

The most anticipated impact we expect to see for corporate, internal PKI environments is those that are issuing certificates for TLS purposes that are valid longer than 2 years and those certificates without all required subject names specified in the Subject Alternative Name field.

The new requirements affect any certificate issued after July 1, 2019.The Apple announcement can be found here.

About Jake Grandlienard

Jacob Grandlienard brings more than 19 years of industry experience as a senior level engineer. He has spent the past 10 years designing, leading, and training clients in Public Key Infrastructure (PKI) implementations for medium to enterprise-scale Fortune 500 companies. He specializes in PKI implementations of Microsoft-based identity solutions, including Microsoft Active Directory Certificate Services (ADCS) as well as integration with other security and identity management technologies. Jacob is a subject matter expert in PKI, mobile device management software, smart card management software, and Hardware Security Module (HSM) integration.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.