New certificate security requirements for iOS 13

Context

With the introduction of iOS 13, all TLS server certificates must comply with stricter security standards. 

Issue

If the new standards are not met, and your Apple device is using iOS 13, users may see a "Your connection is not secure" message displayed within your mobile app when connecting to a web resource.


End users can still press Continue for the app to reach the destination server, but the error implies "someone may be attempting to intercept information."

Solution

To remediate the issue, you need to:

  • Generate new TLS certificates that adhere to the requirements within the Apple guidelines for your web resource endpoints.
  • Replace the current certificates on the web servers that your apps access.

The minimum security requirements are as follows:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:   

  • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
  • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Please see https://support.apple.com/en-gb/HT210176 for more details.