Config changes needed to work with iOS 13 and Mac OSX 10.15
Opened this issue · 0 comments
chrissearle commented
My certificates stopped working after updating my phone to iOS 13.
After some googling I found this page:
https://support.apple.com/en-us/HT210176
So - they will likely also fail in OSX 10.15 when it arrives later this month.
Note that this only affects the host cert's - my CA cert is still working fine.
I had to make two changes to my ca/host.cnf (and to the config.cnf's generated from it)
- Change default_days to under 825 - anything longer gets rejected
- Update the [ v3_req ] block
Current:
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
<<ALT_HOSTNAMES>>
Updated:
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
<<ALT_HOSTNAMES>>
Not sure what you may want to change - the number of days you might want to leave and have a README comment ?
I think the adding of the extendedKeyUsage is OK for everyone - I can see for example my LetsEncrypt certificates all have that.