Do LetsEncrypt certs meet the requirements for trusted certs in iOS 13 and macOS 10.15?

Apple just published requirements for certificates to be trusted in iOS 13 and macOS 10.15:

Do LetsEncrypt certs meet these requirements now?

Most of the requirements seem pretty straight-forward; the one I’m unsure of is the requirement concerning ExtendedKeyUsage (EKU) extensions.

1 Like

:wave: Hi @cdetar, thanks for the question.

Yes, they do :lock: :white_check_mark:

Let’s Encrypt certificates meet this requirement as well. Here’s a proof by example using OpenSSL’s (gnarly) command line to show the EKUs of the certificate issued by Let’s Encrypt:

$> openssl s_client -connect -servername 2>/dev/null </dev/null | openssl x509 -noout -text | grep -A1 "Extended Key Usage"
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication

The id-kp-serverAuth OID Apple is looking for corresponds with the “TLS Web Server Authentication” usage in the OpenSSL output.

Hope that helps!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.