Requirements for trusted certificates in macOS 10.15 and newer:
The highlights from the above link:
- Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
- SHA-1 signed certificates are no longer trusted for TLS
- DNS names in the CommonName of a certificate are no longer trusted
Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:
- TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
- TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
Easiest way to validate certificates are compliant
Use Safari browser on macOS 10.15 or newer to visit the URL in question. If safari does not show a warning about certificates and you are connected via TLS (https) your certificates are compliant.