Config changes needed to work with iOS 13 and Mac OSX 10.15

Question

Config changes needed to work with iOS 13 and Mac OSX 10.15

Opened this issue 5 years ago · 0 comments

chrissearle commented 5 years ago

My certificates stopped working after updating my phone to iOS 13.

After some googling I found this page:

https://support.apple.com/en-us/HT210176

So - they will likely also fail in OSX 10.15 when it arrives later this month.

Note that this only affects the host cert's - my CA cert is still working fine.

I had to make two changes to my ca/host.cnf (and to the config.cnf's generated from it)

Change default_days to under 825 - anything longer gets rejected
Update the [ v3_req ] block

Current:

[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
<<ALT_HOSTNAMES>>

Updated:

[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, clientAuth
<<ALT_HOSTNAMES>>

Not sure what you may want to change - the number of days you might want to leave and have a README comment ?

I think the adding of the extendedKeyUsage is OK for everyone - I can see for example my LetsEncrypt certificates all have that.