Changes to Certification Authorities and certificates

This article lists changes to Certification Authorities and certificates included with Apple software.

If a Certification Authority (CA) experiences issues related to its compliance and engagement with the requirements of the Apple Root Program and broader industry standards, we take action to protect users by removing the CA and/or specific certificates from Apple Root Stores.

The listed effective date is the date after which the affected certificates will no longer successfully validate on up-to-date Apple systems. Certificates issued on or before the effective date are expected to function until the natural expiration of the certificate.

To avoid disruption, we encourage website operators, system administrators, and software developers that use the certificates listed below to transition to certificates issued by a CA that is included with Apple operating systems.

Affected Root CA Certificates

AC Camerfirma, S.A.

Effective date: 15 November 2024

The following Root CA Certificates are impacted for TLS, S/MIME, and Client Authentication:

Certificate Name SHA-256 Fingerprint

Chambers of Commerce Root - 2008 063E4AFAC491DFD332F3089B8542E94617D893D7FE944E10A7937EE29D9693C0

Global Chambersign Root - 2008 136335439334A7698016A0D324DE72284E079D7B5220BB8FBD747816EEBEBACA

Entrust

Effective date: 15 November 2024

The following Root CA Certificates are impacted for TLS, S/MIME, and Timestamping:

Certificate Name SHA-256 Fingerprint

Entrust Root Certification Authority - G4 DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88

Entrust Root Certification Authority 73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C

Entrust.net Certification Authority (2048) 6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177

Entrust Root Certification Authority - G2 43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339

Entrust Root Certification Authority - EC1 02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5

The following Root CA Certificates are impacted for TLS and Timestamping:

Certificate Name SHA-256 Fingerprint

AffirmTrust Commercial 0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7

AffirmTrust Networking 0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B

AffirmTrust Premium 70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A

AffirmTrust Premium ECC BD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423

The following Root CA Certificate is impacted for Brand Indicator for Message Identification (BIMI):

Certificate Name SHA-256 Fingerprint

Entrust Verified Mark Root Certification Authority - VMCR1 - 7831D95A47D42508CD5C9E6264F9096BAC19F04EB9B7C8BDD35FFFC71C18961

NetLock

Effective date: 15 November 2024

The following Root CA Certificate is impacted for TLS and S/MIME:

Certificate Name SHA-256 Fingerprint

NetLock Arany (Class Gold) Főtanúsítvány - 6C61DAC3A2DEF031506BE036D2A6FE401994FBD13DF9C8D466599274C446EC98

ComSign

Effective date: 30 June 2024

The following Root CA Certificate is impacted for TLS and S/MIME:

Certificate Name SHA-256 Fingerprint

ComSign Global Root CA 2605875AFCC176B2D66DD66A995D7F8D5EBB86CE120D0E7E9E7C6EF294A27D4C

e-commerce monitoring GmbH

Effective date: 30 June 2024

The following Root CA Certificate is impacted for TLS and S/MIME:

Certificate Name SHA-256 Fingerprint

GLOBALTRUST 2020 9A296A5182D1D451A2E37F439B74DAAFA267523329F90F9A0D2007C334E23C9A