Certificate Transparency Payload

In late 2018, Apple introduced a new Certificate Transparency policy. All certificates issued after October 15, 2018 must meet Apple's requirements to be trusted by Apple products. Aa Certificate Authority should issue a leaf certificate that meets Apple's Certificate Transparency policy by submitting it to a Certificate Transparency log and including the Signed Certificate Timestamp (SCT) when the certificate is signed, or the SCT must be provided during TLS handshake.

A Certificate Transparency payload specifies which domains or certificates to bypass Certificate Transparency enforcement.

This feature is applicable to:

• iOS 12.1.1
• MacOS 10.14.2
• tvOS 12.1.1

Procedure 

1. In the Admin portal, go to Policies & Configs > Configs.

2. Click Add New > Apple > iOS/macOS /tvOS > Certificate Transparency. The New Certificate Transparency Setting dialog box opens.

   Item	Description
   Name	Enter a name for the certificate transparency configuration.
   Description	Enter a description of the certificate transparency configuration.
   Domains	Clicking the Add+ button adds another field in the Domains section. A leading period can be used to match subdomains, but a domain matching rule must not match all domains within a top level domain. For example: .sampledomain.com and .sampledomain.co.uk are allowed while .com and .co.uk are not allowed.
   Certificate Hash for Certificates	Clicking the Add+ button adds a drop-down field for you to select. Hash Algorithm - string. Must be sha256. Required field. Hash - Created by applying the specified hash algorithm to the DER-encoding of the certificate's subjectPublicKeyInfo. See Creating the certificate hash for certificates.

3. Click Save.

   The new configuration displays in the Configurations page.

   Creating the certificate hash for certificates

   To generate the data specified by the Hash key in the subjectPublicKeyInfo dictionary, use this CLI command for a PEM encoded certificate:

   openssl x509 -pubkey -in example_certificate.pem -inform pem | openssl pkey -pubin -

   outform der | openssl dgst -sha256 -binary | base64

    

   If your certificate is DER encoded, use this CLI command:

   openssl x509 -pubkey -in example_certificate.der -inform der | openssl pkey -pubin -

   outform der | openssl dgst -sha256 -binary | base64

    

   If your certificate does not have a .pem or .der extension, use the CLI file command to identify its encoding type.

   $ file example_certificate.crt

   example_certificate.crt: PEM certificate

   $ file example_certificate.cer

   example_certificate.cer: data

   For more information, see the Apple Configuration Profile Reference Guide.