All,
Posting this to help others and to see if anyone's found a genuine solution before I open a ticket.
Starting with macOS Catalina and iOS 13, Apple has begun placing new restrictions on how it treats certificates. You can get all the gory details here: https://support.apple.com/en-us/HT210176.
In a nutshell it boils down to:
Now here's the rub. There are two additional requirements beginning for certificates issued after July 1, 2019:
The first requirement is the problem, however. Certificates generated by FreeNAS don't seem to include the EKU extension, and that breaks things in Safari and (soon) other browsers.
To create a compliant certificate, you need to do something like (cribbed from this terrific summary of the issues presented in Catalina and iOS 13):
So my questions:
1. Have other people run into this issue?
2. If so, how've you resolved it?
It's entirely possible I'm missing something too, but since I had a well-functioning CA before this, and this is the first post-Catalina certificate I'm generating from that CA, I'm pretty sure the above is the issue in question.
Posting this to help others and to see if anyone's found a genuine solution before I open a ticket.
Starting with macOS Catalina and iOS 13, Apple has begun placing new restrictions on how it treats certificates. You can get all the gory details here: https://support.apple.com/en-us/HT210176.
In a nutshell it boils down to:
- TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
- TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
- TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
Now here's the rub. There are two additional requirements beginning for certificates issued after July 1, 2019:
- TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
- TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
The first requirement is the problem, however. Certificates generated by FreeNAS don't seem to include the EKU extension, and that breaks things in Safari and (soon) other browsers.
To create a compliant certificate, you need to do something like (cribbed from this terrific summary of the issues presented in Catalina and iOS 13):
openssl x509 -passin pass:$CA_PASSWORD -req -days $CLIENT_VALID_DAYS -in $CSR_FILE -CA $CA_CRT_FILE -CAkey $CA_KEY_FILE \
-out $CRT_FILE -CAcreateserial -CAserial $CA_DIR/ca.seq -extfile <(printf "extendedKeyUsage = serverAuth \n subjectAltName=DNS:$SANS") > /dev/null
So my questions:
1. Have other people run into this issue?
2. If so, how've you resolved it?
It's entirely possible I'm missing something too, but since I had a well-functioning CA before this, and this is the first post-Catalina certificate I'm generating from that CA, I'm pretty sure the above is the issue in question.