Certificate Transparency Payload
In late 2018, Apple introduced a new Certificate Transparency policy. All certificates issued after October 15, 2018 must meet Apple's requirements to be trusted by Apple products. Aa Certificate Authority should issue a leaf certificate that meets Apple's Certificate Transparency policy by submitting it to a Certificate Transparency log and including the Signed Certificate Timestamp (SCT) when the certificate is signed, or the SCT must be provided during TLS handshake.
A Certificate Transparency payload specifies which domains or certificates to bypass Certificate Transparency enforcement.
This feature is applicable to:
- iOS 12.1.1
- MacOS 10.14.2
- tvOS 12.1.1
Procedure
- In the Admin Portal, go to Policies & Configs > Configs.
-
Click Add New > Apple > iOS/macOS /tvOS > Certificate Transparency. The New Certificate Transparency Setting dialog box opens. Fill in the entries using the Certificate Transparency Settings table below.
-
Click Save.
The new configuration displays in the Configurations page.
Table 1. Certificate Transparency Settings
Item |
Description |
Name |
Enter a name for the certificate transparency configuration. |
Description |
Enter a description of the certificate transparency configuration. |
Domains |
Clicking the Add+ button adds another field in the Domains section. A leading period can be used to match subdomains, but a domain matching rule must not match all domains within a top level domain. For example: .sampledomain.com and .sampledomain.co.uk are allowed while .com and .co.uk are not allowed. |
Certificate Hash for Certificates |
Clicking the Add+ button adds a drop-down field for you to select.
|
Creating the certificate hash for certificates
To generate the data specified by the Hash key in the subjectPublicKeyInfo dictionary, use this CLI command for a PEM encoded certificate:
openssl x509 -pubkey -in example_certificate.pem -inform pem | openssl pkey -pubin -
outform der | openssl dgst -sha256 -binary | base64
If your certificate is DER encoded, use this CLI command:
openssl x509 -pubkey -in example_certificate.der -inform der | openssl pkey -pubin -
outform der | openssl dgst -sha256 -binary | base64
If your certificate does not have a .pem or .der extension, use the CLI file command to identify its encoding type.
$ file example_certificate.crt
example_certificate.crt: PEM certificate
$ file example_certificate.cer
example_certificate.cer: data
For more information, see the Apple Configuration Profile Reference Guide.