Certificate Transparency payload settings for Apple devices
Use the Certificate Transparency payload to control the behaviour of Certificate Transparency enforcement on an iPhone, iPad, Mac or Apple TV device. This custom payload doesn’t require MDM or enrolment in Apple School Manager or Apple Business Manager.
iOS, iPadOS, macOS and tvOS added new Certificate Transparency requirements in order for TLS certificates to be trusted. Certificate Transparency involves submitting a server’s public certificate to a log that is available to the public. An organisation using certificates for internal-only servers may not be able to reveal the existence of those servers, so that organisation will be unable to use Certificate Transparency. And for that same organisation’s users, the certificate transparency requirements will also cause certificate trust failures for them.
This payload allows device administrators to selectively lower the Certificate Transparency requirement for internal domains and servers to avoid those trust failures on devices communicating with the internal servers. See:
Certificate Transparency policy on the Apple Support website
Certificate Transparency policy on the Chromium Project website
OS and channel | Supported enrolment types | Interaction | Duplicates |
|---|---|---|---|
iOS iPadOS tvOS macOS device | User Device Automated Device | Combined | Multiple |
Setting | Description | Required |
|---|---|---|
Disable Certificate Transparency enforcement for specific certificates | Select this option to permit private, untrusted certificates by disabling the enforcement of Certificate Transparency. The certificates to be disabled must contain (1) the algorithm that was used by the issuer to sign the certificate and (2) the public key that’s associated with the identity the certificate is issued to. For the specific values you need, see the rest of this table. | No |
Algorithm | The algorithm that was used by the issuer to sign the certificate. The value must be “sha256”. | Yes if Disable Certificate Transparency enforcement for specific certificates is used |
Hash of | The public key associated with the identity the certificate is issued to. | Yes if Disable Certificate Transparency enforcement for specific certificates is used |
Disable specific domains | A list of domains where certificate transparency is disabled. A leading full stop can be used to match subdomains, but a domain matching rule must not match all domains within a top-level domain. (“.com” and “.co.uk” are not allowed, but “.example.com” and “.example.co.uk” are allowed). | No |
How to create the hash of subjectPublicKeyInfo
In order for Certificate Transparency enforcement to be disabled when this policy is set, the subjectPublicKeyInfo hash must be one of the following:
The first method to disable Certificate Transparency enforcement |
|---|
A hash of the server leaf certificate’s |
The second method to disable Certificate Transparency enforcement |
|---|
|
The third method to disable Certificate Transparency enforcement |
|---|
|
How to generate the specified data
In the subjectPublicKeyInfo dictionary, use the following commands:
PEM encoded certificate:
openssl x509 -pubkey -in example_certificate.pem -inform pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64DER encoded certificate:
openssl x509 -pubkey -in example_certificate.der -inform der | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
If your certificate doesn’t have a .pem or .der extension, use the following file commands to identify its encoding type:
file example_certificate.crtfile example_certificate.cer
To view a complete example of this custom payload, see the Certificate Transparency custom payload example.