A build from scratch showed some issues with self signed certificates generated during the install process when using Chrome as browser.
Chrome did not allow me to proceed to the EFA Gui, however Firefox did offer to proceed to an 'unsafe' website.
Trying to understand what was going on, I found some docu about new requirements concerning certificates.
This will have an impact on -internal-systems well beyond EFA as well. (Using a Lets Encrypt cert for efa is no option for me.)
As we have quite some self signed certificates, I need to re generate these certificates a.s.a.p. to meet the new requirements.
Just take a look:
Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176
To summarize here:
Key size must be at least 2048 bits.
Hash algorithm must be SHA-2 or newer.
DNS names must be in a SubjectAltName, not in the CN field only.
Moreover, for certificates issued after 2019-07-01:
The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
The validity period may not be longer than 825 days.
Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.
links:
https://superuser.com/questions/1492207 ... 57#1492657
https://www.ssl.com/blogs/ssl-certifica ... -825-days/
https://www.trustzone.com/ssl-certifica ... f-2-years/
SSL certs for EFA and other systems
SSL certs for EFA and other systems
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
-
shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SSL certs for EFA and other systems
This doesn't apply to self-signed certs.
Your chrome issue was a caching issue that I'm working on, most likely.
Your chrome issue was a caching issue that I'm working on, most likely.