Do Apple root certificates expire ?

Hello,

Do Apple root certificates AppleRootCA-G2.cer and AppleRootCA-G3.cer expire?

if yes, in how long?

thanks in advance.

Answered by Hoffman in 794696022

Yes, the Apple Root Certificate Authority certificates expire.

Apple Root CA-C2 and -G3 both expire in 2039.

Details are here: List of available trusted root certificates in iOS 17, iPadOS 17, macOS 14, tvOS 17, and watchOS 10

Apple hasn’t updated the doc for the current 2024040500 certificates, so the above 2023071300 data is slightly stale.

Accepted Answer

Yes, the Apple Root Certificate Authority certificates expire.

Apple Root CA-C2 and -G3 both expire in 2039.

Details are here: List of available trusted root certificates in iOS 17, iPadOS 17, macOS 14, tvOS 17, and watchOS 10

Apple hasn’t updated the doc for the current 2024040500 certificates, so the above 2023071300 data is slightly stale.

What Hoffman wrote and…

All certificates expire. It is literally impossible to create a certificate without the valid date range fields.

You can see those fields in a number of ways:

  • If the certificate is your keychain, view it in Keychain Access.

  • If you have a certificate (.cer or .pem) file, use Quick Look in the Finder.

  • In Terminal, run certtool:

    % certtool d AppleRootCA-G2.cer 
    …
    Not Before         : 18:10:09 Apr 30, 2014
    Not After          : 18:10:09 Apr 30, 2039
    …
    
  • Or openssl:

    % openssl x509 -in AppleRootCA-G2.cer -inform der -text
    …
            Validity
                Not Before: Apr 30 18:10:09 2014 GMT
                Not After : Apr 30 18:10:09 2039 GMT
    …
    

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Please reply in as a reply rather than in the comments. I’m not notified of the latter. For this and other tips, see Quinn’s Top Ten DevForums Tips.

can apple change it before 2039 for a reason?

I don’t understand what you’re getting at here but:

  • A certificate is immutable. It can’t be changed because it’s signed by the issuer.

  • A CA can certainly issue a new root certificate before the previous one expires. Indeed, that’s kinda expected.

  • A CA could potentially revoke the old certificate, although that’d be quite extraordinary.

IMPORTANT I’m talking in general terms here. Apple’s official certificate policies are documented on the Apple PKI page, and nothing I say here overrides those.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Do Apple root certificates expire ?
 
 
Q