To better protect Apple customers from security issues related to the use of public key infrastructure (PKI) certificates and enhance the experience for Apple users, Apple requires root certification authorities to meet certain criteria. Apple products, including our web browser Safari and Mail.app, use a common store for root certificates. Following are some highlights of the new criteria:
- Certification Authority (CA) providers are required to complete a WebTrust for Certification Authorities audit or provide an equivalent third-party attestation. For more information about the WebTrust for Certification Authorities program sponsored by The American Institute for Certified Public Accountant's (AICPA) or to obtain a copy of the criteria, see http://www.webtrust.org/ If you have received an audit from a different program, the burden is on the CA to prove equivalency to WebTrust for CAs.
- Only roots that expire after 2013 will be considered.
- A maximum of three roots per CA provider can be accepted because each additional root negatively impacts users by increasing download time.
- Apple requires a test certificate issued from each CA provider's root(s) for testing purposes. We recommend that you send Apple a URL of a publicly accessible server where certificates issued from your roots can be verified.
- All new root certification authorities for OS X are made seamlessly available to end users through the Software Update mechanism. This provides maximum flexibility for CA providers and Apple to respond immediately in the event of an unforeseen security issue.
- Your root certificate must provide broad business value to Apple platform customers. For example, root certificates that are used internally within an organization are not acceptable for the root program.
- Certificates issued from your root must support the CRL distribution point extension. The CRL distribution point should point to a location that is publicly accessible.
- Root certificates must conform to the standard set forth in RFC 3280.
Root Delivery Process
Root certificates are provided in updates to the operating system. These roots are used by OS X and iOS systems to evaluate trust for secure web connections, secure e-mail and other PKI purposes. When a user visits a secure Web site (that is, by using HTTPS), reads a secure e-mail (that is, S/MIME), or does some other operation using PKI, both OS X and iOS check that the certificate verifies to a trusted CA (certificate authority). To the user, the experience is seamless and the operation occurs automatically. The user does not see any security dialog boxes or warnings, unless the certificate was not able to be verified.
Root Acceptance Schedule
Apple will accept your root certificate as it deems appropriate in its own discretion. After you have met all of the requirements and Apple has chosen to accept your root certificate, it will be made available to users running OS X through the software update mechanism. The list of root certification authorities available through Software Update is usually updated at least once a quarter. You must complete all requirements of the program before Apple can process your root certificate.
To begin the root submission process, perform the following steps:
- Send an e-mail with the following information to Certificate Authority Program.
- Two contacts from your organization (that is, first
and last name, e-mail address, and phone number)
- Company name and address information
- Company Web page address (that is, URL)
- Number of roots you would like to submit
- Two contacts from your organization (that is, first
Answers to the following questions about your root certificates:
- What is the business purpose of the certificates issued from this root certificate? What business is this root enabling?
- To whom will you issue certificates? For example, the general public, members of a certain organization, and so on.
- What Extended Key Usages does the root support? For example, SSL server authority, secure e-mail, code signing, and so on.
- What is done to validate the identity of someone requesting a certificate issued from this root?
- Pointers to Certificate Practice Statement
- List of any third-party audits your CA practice has undergone.
- URL of a publicly accessible server where certificates issued from your roots can be verified
A copy of the root(s) to be evaluated can be included in the e-mail for initial examination.
Submission of Root
After you have met all of the criteria for submission to the Apple Root Certificate Program, send the following information to the address below:
- Audit report
- A letter on corporate letterhead, by an authorized agent of the company detailing the following for each root that you submit:
- Root certificate subject name, validity dates, and SHA-1 thumbprint. You can view the thumbprint by double-clicking the root certificate in Keychain Access, and scrolling down to the Fingerprint field. The actual root certificates can be sent via e-mail.
- Desired extended key usage (EKU). For what usages do you want to mark this root? For example, SSL server authority, e-mail, code signing, and so on.
- Please send an HTTPS URL (for server certificates) or end-entity certificate issued from the root that can be used for chain validation testing. For extended validation applications, include the Object Identifier associated with your certificate.
Frequently Asked Questions
- How much does the program cost?
Apple does not currently charge for the Root Certificate Program. Typically, there is a material cost associated with meeting the audit requirements. Please contact your auditor. For more information, see "How much does a Web Trust for CA examination cost?" .
The burden is on the CA to prove WebTrust equivalency. Your auditor should state whether the audit meets the WebTrust criteria in the audit report.
Apple accepts roots on an on-going basis. As such, there is no hard deadline. After Apple accepts your root certificate, it will appear in a Software Update after the next root certificate refresh cycle.