Testing upcoming Safari cert validity changes

Per https://support.apple.com/en-us/HT211025


Quoting:


"In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates [to 398 days]"

  • [...]
  • "This change will not affect certificates issued from user-added or administrator-added Root CAs."


Questions:

  • What defines "user-added or administrator-added Root CAs"?
  • How do we get our hands on a version of Safari now to test/prepare for this change? What version(s) of Safari honors this change?


Note, I've asked a similar question on StackExchange: https://apple.stackexchange.com/questions/384033

Answered by Systems Engineer in 421657022

Thank you for the follow up. I do not have anything new in to share in regards to a testing date for this change in Safari Technology Preview.


If are using a root that exists in the trust store already on the device I would plan for this change. If you are using a certificate from a user-added or administrator-added Root CAs, this change will not affect you.

| I'd also rest assured knowing that this stament is guaranteed to be correct:

|

| -- "This shorten validity period only affects certificates created with a root that

| already exists in the trust store of the device."

|

| Our certificate is generated just-in-time using a CA<--->intermediate<--->SSL to be

| compliant with Firefox, then installed using security add command line interface. It

| sholud not qualify as "Already existing in the trust store of the device", but having a

| way to confirm this prior to the change would vastly improve the confidence of our

| prodcut for the future of Safari.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Well, we have private root and it's published certificates are affected. Trustd throws error:

Non-system-trusted leaf validity period longer than 825 days and issued on or after 1 July 2019

Why is that ?

I thought private roots are unaffected.

Attaching screenshots.

I thought private roots are unaffected.

You are correct, private roots do not have to be under 398 days, but they do have to be under 825 days.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Testing upcoming Safari cert validity changes
 
 
Q