General Information
Preference Documentation
Log Data Documentation
- Log Data Examples
- Interesting Types of Events
  - SSH Logins and Activity
Related Tech and Configurations
- macOS
Compliance
- cmdReporter and US Govt Standards Details
  - How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements
  - NIST 800-53r4 (high) controls met by using cmdReporter
- Security Baseline Reporting Preferences
  - Security Benchmark Reporting Logs

macOS Server Certificate Requirements

Daniel Griggs

Modified on: Wed, 5 Feb, 2020 at 6:55 PM

Requirements for trusted certificates in macOS 10.15 and newer:

https://support.apple.com/en-us/HT210176

The highlights from the above link:

Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
SHA-1 signed certificates are no longer trusted for TLS
DNS names in the CommonName of a certificate are no longer trusted

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Easiest way to validate certificates are compliant

Use Safari browser on macOS 10.15 or newer to visit the URL in question. If safari does not show a warning about certificates and you are connected via TLS (https) your certificates are compliant.