Publicly trusted Transport Layer Security (TLS) server authentication certificates issued after October 15, 2018 must meet Apple's Certificate Transparency (CT) policy to be evaluated as trusted on Apple platforms. Previously, only publicly trusted Extended Validation (EV) TLS server authentication certificates were required to meet this CT policy.
Certificates that fail to comply will our policy will result in a failed TLS connection, which can break an app’s connection to Internet services or Safari’s ability to seamlessly connect.
Apple's policy requires at least two Signed Certificate Timestamps (SCT) issued from a CT log — once-approved* or currently approved at the time of check — and either:
- At least two SCTs from currently approved CT logs with one SCT presented via TLS extension or OCSP Stapling; or
- At least one embedded SCT from a currently approved log and at least the number of SCTs from once or currently approved logs, based on validity period as detailed in the table below.
Number of embedded SCTs based on certificate lifetime:
|Certificate lifetime||# of SCTs from separate logs|
|Less than 15 months||2|
|15 to 27 months||3|
|27 to 39 months||4|
|More than 39 months||5|
* To be considered “once-approved,” the timestamp in the SCT must have been issued from a CT log that was in the approved CT log list at the time of the SCT issuance.