Do LetsEncrypt certs meet the requirements for trusted certs in iOS 13 and macOS 10.15?

Apple just published requirements for certificates to be trusted in iOS 13 and macOS 10.15: https://support.apple.com/en-us/HT210176

Do LetsEncrypt certs meet these requirements now?

Most of the requirements seem pretty straight-forward; the one I’m unsure of is the requirement concerning ExtendedKeyUsage (EKU) extensions.

1 Like

:wave: Hi @cdetar, thanks for the question.

Yes, they do :lock: :white_check_mark:

Let’s Encrypt certificates meet this requirement as well. Here’s a proof by example using OpenSSL’s (gnarly) command line to show the EKUs of the letsencrypt.org certificate issued by Let’s Encrypt:

$> openssl s_client -connect letsencrypt.org:443 -servername letsencrypt.org 2>/dev/null </dev/null | openssl x509 -noout -text | grep -A1 "Extended Key Usage"
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication

The id-kp-serverAuth OID Apple is looking for corresponds with the “TLS Web Server Authentication” usage in the OpenSSL output.

Hope that helps!

8 Likes