6 Replies
      Latest reply on May 26, 2020 11:08 AM by tresf
      tresf Level 1 Level 1 (0 points)

        Per https://support.apple.com/en-us/HT211025

         

        Quoting:

         

        • "In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates [to 398 days]"
          • [...]
          • "This change will not affect certificates issued from user-added or administrator-added Root CAs."

         

        Questions:

        • What defines "user-added or administrator-added Root CAs"?
        • How do we get our hands on a version of Safari now to test/prepare for this change?  What version(s) of Safari honors this change?

         

        Note, I've asked a similar question on StackExchange: https://apple.stackexchange.com/questions/384033

        • Re: Testing upcoming Safari cert validity changes
          meaton Apple Staff Apple Staff (220 points)

          I can comment of the first question.  In regards to, "What defines 'user-added or administrator-added Root CAs'?"

           

          This shorten validity period only affects certificates created with a root that already exists in the trust store of the device.  If you have an enterprise root that is added to your device via MDM or for user testing, you will not be affected.  The policy applies if the server’s certificate relies on a chain of trust that ends in the CA root that’s built in to the OS trust store.

           

          In regards to testing with Safari, I would keep an eye on the Safari Technology Preview release notes as the September 1st deadline starts getting closer.

           

          Matt Eaton

          DTS Engineering, CoreOS

          meaton3 at apple.com

            • Re: Testing upcoming Safari cert validity changes
              tresf Level 1 Level 1 (0 points)

              Matt,

               

              Thanks kindly for your prompt reply.   For some reason the forums had defaulted to Noticiations "On", but all of the checkboxes -- including email -- were unticked, so was never notified of a response.

               

              Both of your replies are very helpful.

               

              > "This shorten validity period only affects certificates created with a root that already exists in the trust store of the device.  If you have an enterprise root that is added to your device via MDM or for user testing, you will not be affected.  The policy applies if the server’s certificate relies on a chain of trust that ends in the CA root that’s built in to the OS trust store."

               

              We add the cert as part of our .pkg installer to allow a successful SSL connection back to our app from the browser.  So although it doesn't "ship with the device" it is added to the System Keychain on install (or via profile on mobile), removed on uninstall.

               

              We've baked in our own renewal process (we use Jetty, which offers fantastic live cert replacement support) but we've noticed in previous iterations of shorter cert lengths, the entire OS would enforce this policy.

               

              For those reasons, we're trying to decide if:

              • We just shorten the length for all certs in anticipate of something like Ballot 193 happening again (but for this newer, shorter span)
                -- OR --
              • We just stay within the current 825 day requirement.

               

              If our System cert will continue to work for 825 days after this change without unintended side-effects we'll keep that standard. (we understand certs installed before this time will continue working, but our certs are part of our installation process, so we'd like to avoid the influx).


              > "In regards to testing with Safari, I would keep an eye on the Safari Technology Preview release notes as the September 1st deadline starts getting closer."

              Ok, I'm linking the actual release notes for others: https://developer.apple.com/safari/technology-preview/release-notes/

               

              Is it safe to say that this change will be spelled out in the release notes for the version which includes it?  If not, is there a support path to obtain this information from Apple?

                • Re: Testing upcoming Safari cert validity changes
                  meaton Apple Staff Apple Staff (220 points)

                  I cannot say with 100% certainty this will appear in the release notes.  If you do not see anything in the release notes as we get closer to September 1 send a ping on this thread and I can take a closer look.

                  | Is it safe to say that this change will be spelled out in the release notes for the

                  | version which includes it?  If not, is there a support path to obtain this information

                  | from Apple?

                   

                   

                  Matt Eaton

                  DTS Engineering, CoreOS

                  meaton3 at apple.com

                    • Re: Testing upcoming Safari cert validity changes
                      tresf Level 1 Level 1 (0 points)

                      Hi,


                      @meaton Per recommendation, I'm pinging you 2 months later hoping to find out the path to verifying the new -- shortened -- CA cert behavior on Safari.

                       

                      I've read the Release Notes for the Technology Preview but I still cannot seem to find mention of this change.

                       

                      I'd also rest assured knowing that this stament is guaranteed to be correct:

                       

                      -- "This shorten validity period only affects certificates created with a root that already exists in the trust store of the device."

                       

                      Our certificate is generated just-in-time using a CA<--->intermediate<--->SSL to be compliant with Firefox, then installed using security add command line interface.  It sholud not qualify as "Already existing in the trust store of the device", but having a way to confirm this prior to the change would vastly improve the confidence of our prodcut for the future of Safari.

                       

                      Best regards,

                        • Re: Testing upcoming Safari cert validity changes
                          meaton Apple Staff Apple Staff (220 points)

                          Thank you for the follow up.  I do not have anything new in to share in regards to a testing date for this change in Safari Technology Preview.

                           

                          If are using a root that exists in the trust store already on the device I would plan for this change.  If you are using a certificate from a user-added or administrator-added Root CAs, this change will not affect you.

                          | I'd also rest assured knowing that this stament is guaranteed to be correct:

                          |

                          | -- "This shorten validity period only affects certificates created with a root that

                          | already exists in the trust store of the device."

                          |

                          | Our certificate is generated just-in-time using a CA<--->intermediate<--->SSL to be

                          | compliant with Firefox, then installed using security add command line interface.  It

                          | sholud not qualify as "Already existing in the trust store of the device", but having a

                          | way to confirm this prior to the change would vastly improve the confidence of our

                          | prodcut for the future of Safari.

                           

                          Matt Eaton

                          DTS Engineering, CoreOS

                          meaton3 at apple.com