Page 1 of 1

SSL certs for EFA and other systems

Posted: 17 Nov 2019 13:47
by henk
A build from scratch showed some issues with self signed certificates generated during the install process when using Chrome as browser.
Chrome did not allow me to proceed to the EFA Gui, however Firefox did offer to proceed to an 'unsafe' website.

Trying to understand what was going on, I found some docu about new requirements concerning certificates.
This will have an impact on -internal-systems well beyond EFA as well. (Using a Lets Encrypt cert for efa is no option for me.)

As we have quite some self signed certificates, I need to re generate these certificates a.s.a.p. to meet the new requirements.

Just take a look:
Apple has introduced a series of new requirements for SSL certificates to be accepted by Catalina, documented at https://support.apple.com/en-us/HT210176
To summarize here:

Key size must be at least 2048 bits.
Hash algorithm must be SHA-2 or newer.
DNS names must be in a SubjectAltName, not in the CN field only.

Moreover, for certificates issued after 2019-07-01:
The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID.
The validity period may not be longer than 825 days.

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

links:
https://superuser.com/questions/1492207 ... 57#1492657

https://www.ssl.com/blogs/ssl-certifica ... -825-days/

https://www.trustzone.com/ssl-certifica ... f-2-years/

Re: SSL certs for EFA and other systems

Posted: 17 Nov 2019 14:56
by shawniverson
This doesn't apply to self-signed certs.

Your chrome issue was a caching issue that I'm working on, most likely.