caman icon indicating copy to clipboard operation
caman copied to clipboard
verified publisher icon radiac

Config changes needed to work with iOS 13 and Mac OSX 10.15

Open chrissearle opened this issue 6 years ago • 0 comments

My certificates stopped working after updating my phone to iOS 13.

After some googling I found this page:

https://support.apple.com/en-us/HT210176

So - they will likely also fail in OSX 10.15 when it arrives later this month.

Note that this only affects the host cert's - my CA cert is still working fine.

I had to make two changes to my ca/host.cnf (and to the config.cnf's generated from it)

  1. Change default_days to under 825 - anything longer gets rejected
  2. Update the [ v3_req ] block

Current:

[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
<<ALT_HOSTNAMES>>

Updated:

[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, clientAuth
<<ALT_HOSTNAMES>>

Not sure what you may want to change - the number of days you might want to leave and have a README comment ?

I think the adding of the extendedKeyUsage is OK for everyone - I can see for example my LetsEncrypt certificates all have that.

chrissearle avatar Sep 29 '19 18:09 chrissearle