Testing upcoming Safari cert validity changes

Per https://support.apple.com/en-us/HT211025


Quoting:


"In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates [to 398 days]"

  • [...]
  • "This change will not affect certificates issued from user-added or administrator-added Root CAs."


Questions:

  • What defines "user-added or administrator-added Root CAs"?
  • How do we get our hands on a version of Safari now to test/prepare for this change? What version(s) of Safari honors this change?


Note, I've asked a similar question on StackExchange: https://apple.stackexchange.com/questions/384033

Up vote post of tresf Down vote post of tresf
3.2k views
Posted by
tresf
Reply
Add a Comment

Accepted Reply

Thank you for the follow up. I do not have anything new in to share in regards to a testing date for this change in Safari Technology Preview.


If are using a root that exists in the trust store already on the device I would plan for this change. If you are using a certificate from a user-added or administrator-added Root CAs, this change will not affect you.

| I'd also rest assured knowing that this stament is guaranteed to be correct:

|

| -- "This shorten validity period only affects certificates created with a root that

| already exists in the trust store of the device."

|

| Our certificate is generated just-in-time using a CA<--->intermediate<--->SSL to be

| compliant with Firefox, then installed using security add command line interface. It

| sholud not qualify as "Already existing in the trust store of the device", but having a

| way to confirm this prior to the change would vastly improve the confidence of our

| prodcut for the future of Safari.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Post marked as solved
Add a Comment

Replies

Well, we have private root and it's published certificates are affected. Trustd throws error:

Non-system-trusted leaf validity period longer than 825 days and issued on or after 1 July 2019

Why is that ?

I thought private roots are unaffected.

Attaching screenshots.

Posted by
LaimonaS
Up vote reply of LaimonaS Down vote reply of LaimonaS
Add a Comment

I thought private roots are unaffected.

You are correct, private roots do not have to be under 398 days, but they do have to be under 825 days.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
  • "You are correct, private roots do not have to be under 398 days, but they do have to be under 825 days."

    I think this is means to say "private SSL certificates" (in many self-signed scenarios the SSL certificate IS the root, but it doesn't need to be this way and the roots can be as long as you like as long as you use a proper chain, e.g. https://stackoverflow.com/questions/44550970).

    tresf
Add a Comment