Apple Root Certificate Program

Program Requirements

To better protect Apple customers from security issues related to the use of public key infrastructure (PKI) certificates and enhance the experience for Apple users, Apple requires root certification authorities to meet certain criteria. Apple products, including our web browser Safari and Mail.app, use a common store for root certificates. Following are some highlights of the new criteria:

Root Delivery Process

Root certificates are provided in updates to the operating system. These roots are used by OS X and iOS systems to evaluate trust for secure web connections, secure e-mail and other PKI purposes. When a user visits a secure Web site (that is, by using HTTPS), reads a secure e-mail (that is, S/MIME), or does some other operation using PKI, both OS X and iOS check that the certificate verifies to a trusted CA (certificate authority). To the user, the experience is seamless and the operation occurs automatically. The user does not see any security dialog boxes or warnings, unless the certificate was not able to be verified.

Root Acceptance Schedule

Apple will accept your root certificate as it deems appropriate in its own discretion. After you have met all of the requirements and Apple has chosen to accept your root certificate, it will be made available to users running OS X through the software update mechanism. The list of root certification authorities available through Software Update is usually updated at least once a quarter. You must complete all requirements of the program before Apple can process your root certificate.

Requirements

To begin the root submission process, perform the following steps:

  1. Send an e-mail with the following information to Certificate Authority Program:
    • Two contacts from your organization (that is, first and last name, e-mail address, and phone number)
    • Company name and address information
    • Company Web page address (that is, URL)
    • Number of roots you would like to submit

    Answers to the following questions about your root certificates:

    • What is the business purpose of the certificates issued from this root certificate? What business is this root enabling?
    • To whom will you issue certificates? For example, the general public, members of a certain organization, and so on.
    • What Extended Key Usages does the root support? For example, SSL server authority, secure e-mail, code signing, and so on.
    • What is done to validate the identity of someone requesting a certificate issued from this root?
    • Pointers to Certificate Practice Statement
    • List of any third-party audits your CA practice has undergone.
    • URL of a publicly accessible server where certificates issued from your roots can be verified
  2. A copy of the root(s) to be evaluated can be included in the e-mail for initial examination.

  3. Ensure that the services for which your root will be used provide broad value to Apple customers. If you have any questions, send e-mail to Certificate Authority Program.
  4. Engage a licensed auditor of the WebTrust for CAs program and complete that process.

Submission of Root

After you have met all of the criteria for submission to the Apple Root Certificate Program, send the following information to the address below:

  1. Audit report
  2. A letter on corporate letterhead, by an authorized agent of the company detailing the following for each root that you submit:
    • Root certificate subject name, validity dates, and SHA-1 thumbprint. You can view the thumbprint by double-clicking the root certificate in Keychain Access, and scrolling down to the Fingerprint field. The actual root certificates can be sent via e-mail.
    • Desired extended key usage (EKU). For what usages do you want to mark this root? For example, SSL server authority, e-mail, code signing, and so on.
    • Please send an HTTPS URL (for server certificates) or end-entity certificate issued from the root that can be used for chain validation testing. For extended validation applications, include the Object Identifier associated with your certificate.

Frequently Asked Questions

  1. How much does the program cost?

    Apple does not currently charge for the Root Certificate Program. Typically, there is a material cost associated with meeting the audit requirements. Please contact your auditor. For more information, see "How much does a Web Trust for CA examination cost?".

  2. Is your audit sufficient for WebTrust equivalency?

    The burden is on the CA to prove WebTrust equivalency. Your auditor should state whether the audit meets the WebTrust criteria in the audit report.

  3. What is the deadline for submitting my root certificate?

    Apple accepts roots on an on-going basis. As such, there is no hard deadline. After Apple accepts your root certificate, it will appear in a Software Update after the next root certificate refresh cycle.