Certificate Requirements for Apple iOS 13 & macOS 10.15

When the next iOS and macOS major update arrives this fall to iPhones, iPads and Macs there will be changes that impact environments with TLS certificates not current with standards. Certificates with key lengths shorter than 2048, those signed with a SHA1 algorithm, and certificates without the DNS name in the subject alternative name (SAN) extension will cause errors. Websites in Safari will not load and application functionality will also be impacted.

These changes will be familiar to many that use the Chrome browser as the standard was enforced in Chrome version 58 in April of 2017.  The RFC now being enforced by Apple is RFC 2818 and was published back in 2000.

Other changes include limiting TLS certificate validity to no greater than 825 days and requiring certificates have the ExtendedKeyUsage (EKU) extension with the id-kp-serverAuth OID. This is the Server Authentication (OID 1.3.6.1.5.5.7.3.1) application policy in Active Directory Certificate Services (ADCS) environments.

The most anticipated impact we expect to see for corporate, internal PKI environments is those that are issuing certificates for TLS purposes that are valid longer than 2 years and those certificates without all required subject names specified in the Subject Alternative Name field.

The new requirements affect any certificate issued after July 1, 2019.The Apple announcement can be found here.