Certificate Transparency
Applicable to: iOS 12.1.1, macOS 10.14.2, tvOS 12.1.1, watchOS 10.0+, and supported newer version.
Controls Certificate Transparency enforcement which can only appear in a device profile. You can include multiple certificates and disable domains as needed.
Creating a Certificate Transparency configuration
Procedure
- Select Configurations.
- Click + Add.
- Type certificate in the search field, and then click the Certificate Transparency configuration.
- Enter a name and describe the configuration.
- Specify the Domains that will be disabled. Click + Add Domain to add more than one domain. A leading period can be used to match subdomains, however a domain matching rule must not match all the domains within a top level domain. For example, ".example.com" and ".example.co.uk" are allowed while ".com" and ".co.uk" are not allowed. Wildcard domains are not supported.
- Specify Certificate Hash after selecting an algorithm (SHA 256). Click + Add to add more than one certificate hash.
- Click Next to configure the distribution settings.
- Click Done.
To generate the data specified by the Hash key in the subjectPublicKeyInfo dictionary, use the following command for a PEM-encoded certificate:
openssl x509 -pubkey -in example_certificate.pem -inform pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
If your certificate is DER-encoded, use the following command:
openssl x509 -pubkey -in example_certificate.der -inform der | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
For more information, see How to create a configuration.