As part of the information published at WWDC 2019 by Apple, the following KBase article has been released:
Requirements for trusted certificates in iOS 13 and macOS 10.15: https://support.apple.com/HT210176
This KBase article describes how Apple is implementing new security requirements for TLS server certificates. These certificates are used by servers to encrypt communication between Apple devices and those servers, to make sure that all communication between the servers and those devices is protected.
- Certificate key sizes must be 2048-bit or greater
- SHA-2 must be used for the certificate signing
- DNS hostname of the server must be listed in a Subject Alternative Name (SAN) certificate extension in addition to being listed in the Common Name field of the certificate.
Also, all TLS certificates issued after July 1, 2019 must meet these additional requirements:
- Must be valid for 825 days (27 months) or less
- Must contain the following Object Identifier in the ExtendedKeyUsage extension: id-kp-serverAuth
What happens if you use iOS 13 or macOS Catalina to try to connect to servers with TLS certificates which don’t meet these standards? The connection will fail because the OS will reject the certificate as being invalid. This may result in a web browser not connecting, an app crashing or some other undesired behavior.
As part of testing iOS 13 and macOS 10.15 ahead of their release dates, I strongly recommend testing the various services used at your workplace to make sure that the TLS certificates used by the services of your company, school or institution are able to pass these requirements. Otherwise, you may find some unfortunate surprises on Release Day this fall.