You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Internal Certificates not trusted by iOS after Sept 1st, 2020 with validity period greater than 398 days..

The following post indicates that iOS devices will not trust certificates after Sept 1, 2020 with a validity period greater than 398 days for Root CAs pre-installed devices. This article also indicates that user or administrator added root CAs will not be affected.

About upcoming limits on trusted certificates - Apple Support


We took this to understand that our internal certificates from our company would not be affected, however this is not true. We found a workaround by setting a browser setting to trust all certs, however, some apps like Power BI do not work with the workaround in place. Is there any confirmation Apple can give that this would also affect the trust of certs not issued by public Root CAs but our own internal Root CA?

iPhone XR

Posted on Apr 22, 2021 7:28 AM

Reply
Question marked as Top-ranking reply

Posted on May 13, 2021 12:40 PM

[ Cross-thread related post: https://discussions.apple.com/thread/252058837 ]


I have experimentally verified that the limit documented here:

https://support.apple.com/en-us/HT210176

of 825 days is now quietly being enforced for internal Root CAs. This may be as recent as OS 10.15.7 (Nov. 2020)

I used two certificates: respectively with validity length 824 days (no error) and 826 (error: NET::ERR_TLS_CERT_VALIDITY_TOO_LONG).


I don't think it matters whether the CA was deployed via MDM or Active Directory, but for the sake of accuracy my method was to manually install my internal CA in my System Keychain and mark it as fully trusted.


Curiously, Chrome on Windows is fine with 5-year certificates, as is Firefox on MacOS even when it's told to use the same root trust system keychain that Safari and Chrome use.


I think it's best to just conform and keep all internal leaf certificates at 2 years.

Similar questions

2 replies
Question marked as Top-ranking reply

May 13, 2021 12:40 PM in response to Zokiol

[ Cross-thread related post: https://discussions.apple.com/thread/252058837 ]


I have experimentally verified that the limit documented here:

https://support.apple.com/en-us/HT210176

of 825 days is now quietly being enforced for internal Root CAs. This may be as recent as OS 10.15.7 (Nov. 2020)

I used two certificates: respectively with validity length 824 days (no error) and 826 (error: NET::ERR_TLS_CERT_VALIDITY_TOO_LONG).


I don't think it matters whether the CA was deployed via MDM or Active Directory, but for the sake of accuracy my method was to manually install my internal CA in my System Keychain and mark it as fully trusted.


Curiously, Chrome on Windows is fine with 5-year certificates, as is Firefox on MacOS even when it's told to use the same root trust system keychain that Safari and Chrome use.


I think it's best to just conform and keep all internal leaf certificates at 2 years.

Apr 23, 2021 7:05 PM in response to Zokiol

Zokiol wrote:

Is there any confirmation Apple can give that this would also affect the trust of certs not issued by public Root CAs but our own internal Root CA?

This is a user-to-user support forum. No Apple employees are here. Even if they were here, there is no way an Apple employee would ever give someone confirmation on anything. Have you observed a certain behaviour? You can confirm for yourself that it does, in fact, work that way. Adjust your system settings to compensate for how you observe that things now work.

Internal Certificates not trusted by iOS after Sept 1st, 2020 with validity period greater than 398 days..

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.