I have some concerns related to shortening the lifetime of certificates, as per https://support.apple.com/en-gb/102028
Does this apply to Private CA root certificates?
And if yes:
- does it apply if I use ATS and higher level API like URLSession
- does it apply it I carry my root CA cert in my app payload and use low level libraries without ATS support?
There are two restrictions in play here:
-
The 825 day limit introduced by Requirements for trusted certificates in iOS 13 and macOS 10.15.
-
The 398 day limit introduced by About upcoming limits on trusted certificates.
The first applies to all CAs. As endecotp noted, the latter only applies to pre-installed CAs.
Note that these contraints are applied by the TLS policy (SecPolicyCreateSSL
). The Basic X.509 policy does not enforce them (SecPolicyCreateBasicX509
).
ATS isn’t a factor here. This is part of the TLS policy that applies to all TLS connections, not part of the enhanced security applied by ATS.
I’m not sure what “app payload” means in this context. If you’re talking about distributing your app via MDM, there are other factors involved. However, assuming that this is a standard App Store app then:
-
It is possible to embed a custom anchor with your app.
-
And then apply that anchor to trust evaluations done by our various networking APIs [1].
-
In that case, if your custom trust evaluation uses the TLS policy, which it should, then the first limit applies but the second does not.
However, I strongly recommend against using custom anchors because, if you make a mistake in your code, you lose all TLS protections. Bugs like this have affected many third-party developers, including some ‘household name’ developers. These problems are one of the reason for ATS.
If you’re thinking of doing this because you want additional security, my advice is that you equip your servers with a standard CA-issued digital identity and then implement certificate or public key pinning on the client side. That way your app will never be less secure than the default for the system on which it’s running.
Apps that use URLSession
, or things layered on top of URLSession
, can implement pinning using the NSPinnedDomains
property.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Most, but not all, of our networking APIs support overriding TLS server trust evaluation.