SSL certs for EFA and other systems

Bugs in eFa 4
Post Reply
henk
Posts: 401
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

SSL certs for EFA and other systems

Post by henk » 17 Nov 2019 13:47

A build from scratch showed some issues with self signed certificates generated during the install process when using Chrome as browser.
Chrome did not allow me to proceed to the EFA Gui, however Firefox did offer to proceed to an 'unsafe' website.

Trying to understand what was going on, I found some docu about new requirements concerning certificates.
This will have an impact on -internal-systems well beyond EFA as well. (Using a Lets Encrypt cert for efa is no option for me.)

As we have quite some self signed certificates, I need to re generate these certificates a.s.a.p. to meet the new requirements.

Just take a look:
Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176
To summarize here:

Key size must be at least 2048 bits.
Hash algorithm must be SHA-2 or newer.
DNS names must be in a SubjectAltName, not in the CN field only.

Moreover, for certificates issued after 2019-07-01:
The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
The validity period may not be longer than 825 days.

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

links:
https://superuser.com/questions/1492207 ... 57#1492657

https://www.ssl.com/blogs/ssl-certifica ... -825-days/

https://www.trustzone.com/ssl-certifica ... f-2-years/

User avatar
shawniverson
Posts: 2897
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: SSL certs for EFA and other systems

Post by shawniverson » 17 Nov 2019 14:56

This doesn't apply to self-signed certs.

Your chrome issue was a caching issue that I'm working on, most likely.
Version eFa 4.0.0 now available!

Post Reply