To better protect Apple customers from security issues related to the use of public key infrastructure (PKI) certificates and enhance the experience for Apple users, Apple requires root certification authorities to meet certain criteria. Apple products, including our web browser Safari, Mail.app, and iChat, use a common store for root certificates. Following are some highlights of the new criteria:
- Certification Authority (CA) providers are required to complete a WebTrust for Certification Authorities audit or provide an equivalent third-party attestation. For more information about the WebTrust for Certification Authorities program sponsored by The American Institute for Certified Public Accountant's (AICPA) or to obtain a copy of the criteria, see http://www.webtrust.org/ If you have received an audit from a different program, the burden is on the CA to prove equivalency to WebTrust for CAs.
- Only roots that expire after Jan 1, 2010 will be considered.
- A maximum of three roots per CA provider can be accepted because each additional root negatively impacts users by increasing download time.
- Apple requires a test certificate issued from each CA provider's root(s) for testing purposes. We recommend that you send Apple a URL of a publicly accessible server where certificates issued from your roots can be verified.
- All new root certification authorities for Mac OS X are made seamlessly available to end users through the Software Update mechanism. This provides maximum flexibility for CA providers and Apple to respond immediately in the event of an unforeseen security issue.
- Your root certificate must provide broad business value to Apple platform customers. For example, root certificates that are used internally within an organization are not acceptable for the root program.
- Certificates issued from your root must support the CRL distribution point extension. The CRL distribution point should point to a location that is publicly accessible.
- Root certificates must conform to the standard set forth in RFC 3280.
Root Delivery Process
Root certificates are stored in a system keychain located at /System/Library/Keychains/X509Anchors. These roots are used by Mac OS X system software to evaluate trust for secure web connections, secure e-mail and other PKI interactions. Any new roots accepted by Apple are available to users running Mac OS X through the software update mechanism. When a user visits a secure Web site (that is, by using HTTPS), reads a secure e-mail (that is, S/MIME), or does some other operation using PKI, the Mac OS X certificate chain verification software checks the X509Anchors file. To the user, the experience is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically, behind the scenes.
Root Acceptance Schedule
Apple will accept your root certificate as it deems appropriate in its own discretion. After you have met all of the requirements and Apple has chosen to accept your root certificate, it will be made available to users running Mac OS X through the software update mechanism. The list of root certification authorities available through Software Update is usually updated at least once a quarter. You must complete all requirements of the program before Apple can process your root certificate.
To begin the root submission process, perform the following steps:
Send an e-mail with the following information to Certificate Authority Program:
- Two contacts from your organization (that is, first and last name, e-mail address, and phone number)
- Company name and address information
- Company Web page address (that is, URL)
- Number of roots you would like to submit
Answers to the following questions about your root certificates:
- What is the business purpose of the certificates issued from this root certificate? What business is this root enabling?
- To whom will you issue certificates? For example, the general public, members of a certain organization, and so on.
- What Extended Key Usages does the root support? For example, SSL server authority, secure e-mail, code signing, and so on.
- What is done to validate the identity of someone requesting a certificate issued from this root?
- Pointers to Certificate Practice Statement
- List of any third-party audits your CA practice has undergone.
- URL of a publicly accessible server where certificates issued from your roots can be verified
- Ensure that the services for which your root will be used provide broad value to Apple customers. If you have any questions, send e-mail to Certificate Authority Program.
- Engage a licensed auditor of the WebTrust for CAs program and complete that process.
A copy of the root(s) to be evaluated can be included in the e-mail for initial examination.
Submission of Root
After you have met all of the criteria for submission to the Apple Root Certificate Program, send the following information to the address below:
- Audit report
- A letter on corporate letterhead, by an authorized agent of the company detailing the following for each root that you submit:
- Root certificate subject name, validity dates, and SHA-1 thumbprint. You can view the thumbprint by double-clicking the root certificate in Keychain Access, and scrolling down to the Fingerprint field. The actual root certificates can be sent via e-mail.
- Desired extended key usage (EKU). For what usages do you want to mark this root? For example, SSL server authority, e-mail, code signing, and so on.
- Please send an HTTPS URL (for server certificates) or end-entity certificate issued from the root that can be used for chain validation testing.
- Apple Inc.
- 1 Infinite Loop
- MS: 302-4K
- Cupertino, CA 95014-2084
- Email: Certificate Authority Program
Frequently Asked Questions
How much does the program cost?
Apple does not currently charge for the Root Certificate Program. Typically, there is a material cost associated with meeting the audit requirements. Please contact your auditor. For more information, see "How much does a Web Trust for CA examination cost?".
Is your audit sufficient for WebTrust equivalency?
The burden is on the CA to prove WebTrust equivalency. Your auditor should state whether the audit meets the WebTrust criteria in the audit report.
What is the deadline for submitting my root certificate?
Apple accepts roots on an on-going basis. As such, there is no hard deadline. After Apple accepts your root certificate, it will appear in a Software Update after the next root certificate refresh cycle.