Apple Drops Support for SHA-1 Certificates in macOS Catalina and iOS 13

[BittenApple]

Planned obsolescence...smh...

uhhh what ?

 

[D582]

Thanks, but I don't think that completely answers my question (unless I'm missing something).

For example, it's common practice in businesses to have their own root certificate authority. They then issue certificates signed by that authority to private, internal servers. Each client device is configured to accept that private root certificate as trusted and can therefore (when connected to the company's LAN either locally or by VPN) visit myprivatesite.local and the site will be secure and trusted.

If one is only issuing private server certificates in this context, there's really no need for SAN; but based on this MacRumors article Apple's devices wouldn't accept that because it needs that extension in the certificate. This makes no sense to me. Now I do get that it's standard practice to include the domain in the CN in the list of SANs, but not if there is literally one, single domain.

(The same is true for public web sites that only need a certificate for one domain, though public CAs will handle most of this stuff for the web site owner.)

Here's another thing not mentioned above:



Sure in most cases no one is issuing certificates for that long, but why restrict the validity period? If I'm setting up something internally I should be able to do what I want as I can always revoke the certificates later if need be.

Apple is simply aligning with requirements in place for public certificates.

SAN is required, even for one domain, on public certificates. The reason is Common Name only does not allow for use of name constraints and for identifying if it’s a DNS name or IP address.

825 days is current max lifetime for public certs. I say current because there is a desire to make this shorter.

 

[Tech198]

It's not really a dealbreaker, it's just aggravating because anyone affected will need to pull up an old Windows VM to do anything with the devices. Everyone in the industry needs to do this occasionally, so it's not a big deal...it'll just take like 20-30 minutes (and the associated pain) instead of 1-2.

Since its only Apple, it will be small. What i found interesting is Windows 7 did this before MacOS.

 

[amorrn]

I'm not sure why this is being presented as a new feature in 10.14, it's actually a change that was introduced back in 10.13. I remember it distinctly because it broke my VPN client at work (very secure, I'm sure) and I had to downgrade the OS to keep using it.

https://support.apple.com/en-is/HT207828