Apple just published requirements for certificates to be trusted in iOS 13 and macOS 10.15: https://support.apple.com/en-us/HT210176
Do LetsEncrypt certs meet these requirements now?
Most of the requirements seem pretty straight-forward; the one I’m unsure of is the requirement concerning ExtendedKeyUsage (EKU) extensions.
Hi @cdetar, thanks for the question.
Yes, they do
Let’s Encrypt certificates meet this requirement as well. Here’s a proof by example using OpenSSL’s (gnarly) command line to show the EKUs of the
letsencrypt.org certificate issued by Let’s Encrypt:
$> openssl s_client -connect letsencrypt.org:443 -servername letsencrypt.org 2>/dev/null </dev/null | openssl x509 -noout -text | grep -A1 "Extended Key Usage"
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
id-kp-serverAuth OID Apple is looking for corresponds with the “TLS Web Server Authentication” usage in the OpenSSL output.
Hope that helps!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.