Главная » Linux

Mac os trust certificate

Содержание
  1. Requirements for trusted certificates in iOS 13 and macOS 10.15
  2. Lists of available trusted root certificates in macOS
  3. Blocking Trust for WoSign CA Free SSL Certificate G2
  4. About trust and certificates
  5. macOS Trust Store
  6. Obtain a trusted certificate in macOS Server
  7. List of available trusted root certificates in macOS Sierra
  8. About trust and certificates
  9. List of available trusted root certificates in macOS High Sierra
  10. About trust and certificates

Requirements for trusted certificates in iOS 13 and macOS 10.15

Learn about new security requirements for TLS server certificates in iOS 13 and macOS 10.15.

All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

  • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
  • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

Источник

Lists of available trusted root certificates in macOS

The macOS Trust Store contains trusted root certificates that are preinstalled with macOS.

Blocking Trust for WoSign CA Free SSL Certificate G2

Certificate Authority WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA. Although no WoSign root is in the list of Apple trusted roots, this intermediate CA used cross-signed certificate relationships with StartCom and Comodo to establish trust on Apple products.

Читайте также:  Как сделать linux mint красивым

In light of these findings, we took action to protect users in a security update. Apple products no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.

To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products trust individual existing certificates that were issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion.

As the investigation progresses, we will take further action on WoSign/StartCom trust anchors in Apple products as needed to protect users.

Further steps for WoSign

After further investigation, we have concluded that in addition to multiple control failures in the operation of the WoSign certificate authority (CA), WoSign did not disclose the acquisition of StartCom.

We are taking further actions to protect users in an upcoming security update. Apple products will block certificates from WoSign and StartCom root CAs if the «Not Before» date is on or after 1 Dec 2016 00:00:00 GMT/UTC.

About trust and certificates

Each macOS Trust Store listed below contains three categories of certificates:

  • Trusted certificates establish a chain of trust that verifies other certificates signed by the trusted roots—for example, to establish a secure connection to a web server. When IT administrators create Configuration Profiles for macOS, these trusted root certificates don’t need to be included.
  • Always Ask certificates are untrusted but not blocked. When one of these certificates is used, you’ll be prompted to choose whether or not to trust it.
  • Blocked certificates are believed to be compromised and will never be trusted.

macOS Trust Store

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Читайте также:  Казахский языковая панель windows

Источник

Obtain a trusted certificate in macOS Server

If your server doesn’t have a signed SSL certificate or if you need a new one, you can use the generated self-signed certificate to request a signed certificate from a third-party Certificate Authority (CA).

You can obtain a valid signed certificate by generating a certificate signing request (CSR) file, which you send to a known CA. If your request satisfies the authority, it generates and sends you a signed certificate. There’s usually a fee involved with this service.

Select Certificates in the Server app sidebar.

Click and choose Show All Certificates.

Click , then choose Get a Trusted Certificate from the pop-up menu.

Click Next, then enter your company or personal information in the fields.

Click Next, then click Finish.

Double-click the pending certificate signing request, in the certificates list.

Some certificate authorities ask you to enter the CSR text in a field on a webpage instead of uploading a file. In that case, click Save, then click the triangle next to the Certificate Signing Request. Then you can copy and paste the text to the CA’s website.

If you received files from your certificate vendor, drag them to the Certificate Files section of the Certificate Signing Request pane.

If your CA requires you to upload the CSR file, click Save and save the CSR file, then follow the instructions on the CA’s website. On the CA’s website, look for SSL Certificates.

You can use the CA of your choice. Here are a few:

The Go Daddy Group, Inc. (www.godaddy.com)

After receiving your signed certificate from the CA, use it to replace your self-signed certificate. For information, see Use an SSL certificate in macOS Server.

Источник

List of available trusted root certificates in macOS Sierra

The macOS Sierra Trust Store contains trusted root certificates preinstalled with macOS.

About trust and certificates

The macOS Sierra Trust Store contains three categories of certificates:

  • Trusted root certificates are used to establish a chain of trust that’s used to verify other certificates signed by the trusted roots, for example to establish a secure connection to a web server. When IT administrators create Configuration Profiles for macOS, they don’t need to include these trusted root certificates.
  • Always Ask certificates are untrusted but not blocked. When one of these certificates is used, you’ll be prompted to choose whether or not to trust it.
  • Blocked certificates are believed to be compromised and will never be trusted.
Читайте также:  Посмотреть файлы windows cmd

This article lists the certificate trust policies for macOS Sierra, and is updated when changes are made to the certificate list. Follow these steps to find the version of the Trust Store installed on your Mac:

  1. In the Finder, choose Go > Go to Folder.
  2. Type or paste /System/Library/Security/Certificates.bundle/Contents/Resources/TrustStore.html and press Go.
  3. In the folder that appears, open TrustStore.html. The Trust Store version is in the upper-right corner of the page.

This article lists the certificates for macOS Sierra Trust Store version 2016102100, which is current for macOS Sierra 10.12 and later.

Источник

List of available trusted root certificates in macOS High Sierra

The macOS High Sierra Trust Store contains trusted root certificates preinstalled with macOS.

About trust and certificates

The macOS High Sierra Trust Store contains three categories of certificates:

  • Trusted root certificates are used to establish a chain of trust that’s used to verify other certificates signed by the trusted roots, for example to establish a secure connection to a web server. When IT administrators create Configuration Profiles for macOS, they don’t need to include these trusted root certificates.
  • Always Ask certificates are untrusted but not blocked. When one of these certificates is used, you’ll be prompted to choose whether or not to trust it.
  • Blocked certificates are believed to be compromised and will never be trusted.

This article lists the certificate trust policies for macOS High Sierra, and is updated when changes are made to the certificate list. Follow these steps to find the version of the Trust Store installed on your Mac:

  1. In the Finder, choose Go > Go to Folder.
  2. Type or paste /System/Library/Security/Certificates.bundle/Contents/Resources/TrustStore.html and click Go.
  3. In the folder that appears, open TrustStore.html. The Trust Store version is in the upper-right corner of the page.

This article lists the certificates for macOS High Sierra Trust Store version 2018040200, which is current for macOS Sierra 10.13 and later.

Источник

Оцените статью
© 2024 Советы по настройке компьютера