cmdReporter Wiki

macOS Server Certificate Requirements

Requirements for trusted certificates in macOS 10.15 and newer:

https://support.apple.com/en-us/HT210176

The highlights from the above link:

  • Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • SHA-1 signed certificates are no longer trusted for TLS
  • DNS names in the CommonName of a certificate are no longer trusted

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

  • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
  • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).


Easiest way to validate certificates are compliant

Use Safari browser on macOS 10.15 or newer to visit the URL in question. If safari does not show a warning about certificates and you are connected via TLS (https) your certificates are compliant.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.