Testing upcoming Safari cert validity changes

Question

tresf OP

Created Mar ’20

Replies 17

Boosts 0

Views 4.6k

Participants 4

Per https://support.apple.com/en-us/HT211025

Quoting:

"In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates [to 398 days]"

[...]
"This change will not affect certificates issued from user-added or administrator-added Root CAs."

Questions:

What defines "user-added or administrator-added Root CAs"?
How do we get our hands on a version of Safari now to test/prepare for this change? What version(s) of Safari honors this change?

Note, I've asked a similar question on StackExchange: https://apple.stackexchange.com/questions/384033

Boost

Answer 1

LaimonaS OP

Dec ’21

Well, we have private root and it's published certificates are affected. Trustd throws error:

Non-system-trusted leaf validity period longer than 825 days and issued on or after 1 July 2019

Why is that ?

I thought private roots are unaffected.

Attaching screenshots.

Screen Shot 2021-12-30 at 12.18.19.jpg

Screen Shot 2021-12-30 at 12.17.31.jpg

0

Answer 2

Systems Engineer OP

Apple

Dec ’21

I thought private roots are unaffected.

You are correct, private roots do not have to be under 398 days, but they do have to be under 825 days.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0