Certificate Transparency Payload

In late 2018, Apple introduced a new Certificate Transparency policy. All certificates issued after October 15, 2018 must meet Apple's requirements to be trusted by Apple products. Aa Certificate Authority should issue a leaf certificate that meets Apple's Certificate Transparency policy by submitting it to a Certificate Transparency log and including the Signed Certificate Timestamp (SCT) when the certificate is signed, or the SCT must be provided during TLS handshake.

A Certificate Transparency payload specifies which domains or certificates to bypass Certificate Transparency enforcement.

This feature is applicable to:

  • iOS 12.1.1
  • MacOS 10.14.2
  • tvOS 12.1.1


  1. In the Admin Portal, go to Policies & Configs > Configs.
  2. Click Add New > Apple > iOS/macOS /tvOS > Certificate Transparency. The New Certificate Transparency Setting dialog box opens. Fill in the entries using the Certificate Transparency Settings table below.

  3. Click Save.

The new configuration displays in the Configurations page.

Table 1. Certificate Transparency Settings




Enter a name for the certificate transparency configuration.


Enter a description of the certificate transparency configuration.


Clicking the Add+ button adds another field in the Domains section.

A leading period can be used to match subdomains, but a domain matching rule must not match all domains within a top level domain.

For example: .sampledomain.com and .sampledomain.co.uk are allowed while .com and .co.uk are not allowed.

Certificate Hash for Certificates

Clicking the Add+ button adds a drop-down field for you to select.

Creating the certificate hash for certificates

To generate the data specified by the Hash key in the subjectPublicKeyInfo dictionary, use this CLI command for a PEM encoded certificate:

openssl x509 -pubkey -in example_certificate.pem -inform pem | openssl pkey -pubin -

outform der | openssl dgst -sha256 -binary | base64


If your certificate is DER encoded, use this CLI command:

openssl x509 -pubkey -in example_certificate.der -inform der | openssl pkey -pubin -

outform der | openssl dgst -sha256 -binary | base64


If your certificate does not have a .pem or .der extension, use the CLI file command to identify its encoding type.

$ file example_certificate.crt

example_certificate.crt: PEM certificate

$ file example_certificate.cer

example_certificate.cer: data

For more information, see the Apple Configuration Profile Reference Guide.