Program Requirements
Note: This version comes into effect February 1, 2022
Apple uses public key infrastructure (PKI) to secure and enhance the experience for Apple users. Apple operating systems and applications (such as Safari and Mail) use a common store for root certificates; see https://support.apple.com/kb/HT209143. Apple requires certification authority (CA) providers to meet certain criteria, which include:
- CA providers must ensure their CAs are audited against at least one of the below criteria at least annually:
- (Preferred) WebTrust Principles and Criteria for Certification Authorities
- (Accepted on a case-by-case basis) ETSI EN 319 411-1 LCP, NCP, or NCP+
- CA providers must ensure their Transport Layer Security (TLS) enabled root CAs and all subordinate CAs capable of issuing TLS certificates are audited against at least one of the below sets of criteria at least annually:
- (Preferred) WebTrust Principles and Criteria for Certification Authorities and WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security
- (Accepted on a case-by-case basis) ETSI EN 319 411-1 LCP and (DVCP or OVCP)
- (Accepted on a case-by-case basis) ETSI EN 319 411-1 NCP and EVCP
- CA providers must ensure their Extended Validation (EV) enabled root CAs and all subordinate CAs capable of issuing EV TLS certificates are audited against at least one of the below sets of criteria at least annually:
- (Preferred) WebTrust Principles and Criteria for Certification Authorities, WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security, and WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL
- (Accepted on a case-by-case basis) ETSI EN 319 411-1 NCP and EVCP
- CA providers must strictly adhere to their Certificate Policy (CP) and/or Certification Practices Statement (CPS) documents.
- TLS CA providers must constantly maintain compliance with the CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates.
- TLS CA providers must incorporate and commit to compliance with the CA/Browser Forum’s Baseline Requirements in their CP and/or CPS documents.
- EV CA providers must constantly maintain compliance with the CA/Browser Forum Guidelines For The Issuance And Management Of Extended Validation Certificates.
- EV CA providers must incorporate and commit to compliance with the CA/Browser Forum’s EV Guidelines in their CP and/or CPS documents.
- CA providers must maintain up to date contact details in the Common CA Database (CCADB).
- CA providers are accountable for discussion and balloted changes communicated via the following:
- CA communications from Apple (typically via CCADB)
- CA/Browser Forum Public Discussion List (https://lists.cabforum.org/mailman/listinfo/public)
- CA/Browser Forum Server Certificate Working Group (https://lists.cabforum.org/mailman/listinfo/servercert-wg)
- CA/Browser Forum Validation Subcommittee (https://lists.cabforum.org/mailman/listinfo/validation)
- CA/Browser Forum Networking Security Subcommittee (https://lists.cabforum.org/mailman/listinfo/netsec)
- CA/Browser Forum SMIME Certificate Working Group (https://lists.cabforum.org/mailman/listinfo/smcwg-public)
- CA providers must notify Apple if they anticipate any change in control or ownership of any CA certificate (whether directly included or subordinate thereto). Do not assume inclusion is transferable.
- CA providers must strictly limit the number of roots per CA provider, especially those capable of issuing multiple types of certificates.
- A root certificate must provide broad value to Apple's users.
- CA providers applying for inclusion in the Apple Root Program are expected to meet all Program and Policy requirements prior to submitting an application.
Policy Requirements
Note: For effective dates related to certificate issuance, the requirement is enforced for certificates issued on or after the specified date at 00:00:00 UTC.
- Effective April 1, 2022, CA providers must disclose in the CCADB all CA certificates which chain up to their CA Certificate(s) included in the Apple Root Program.
- Effective April 1, 2022, S/MIME certificates must:
- include the
emailProtection
EKU - include at least one subjectAlternativeName
rFC822Name
value containing an email address - not have a validity period greater than 1185 days
- use a signature hash algorithm of greater than or equal strength to SHA-256 (see section 7.1.3.1 and 7.1.3.2 of the CA/B Forum’s Baseline Requirements).
- meet the following key size requirements:
- For RSA key pairs, the modulus size must be at least 2048 bits when encoded and its size in bits must be evenly divisible by 8.
- For ECDSA key pairs, the key must represent a valid point on the NIST P‐256, NIST P‐384 or NIST P‐521 named elliptic curve.
- Effective October 1, 2022, CA providers must populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs" for each included CA Certificate and each CA Certificate chaining up to an included CA Certificate in the Apple Root Program.
- Under normal operating conditions, the CRL URLs provided by CAs in this section must be available such that Apple systems are able to successfully retrieve the current CRL every 4 hours.
- In order to populate this section for Root CA Certificates, please email the Apple Root Program (certificate-authority-program@apple.com) with the desired details and associated CCADB records.
Submission Process
To begin the submission process, request access to the CCADB and create a Root Inclusion Case in the CCADB. Once complete, e-mail certificate-authority-program@apple.com with the details of your Root Inclusion Case. CA providers will be contacted if any additional information is required, and when consideration of the inclusion request is complete. For more information on the CCADB, please see https://www.ccadb.org/cas.
Root Acceptance
Apple accepts and removes root certificates as it deems appropriate at its sole discretion. Apple prioritizes Root Inclusion Requests as it deems appropriate at its sole discretion.
Incidents
Failure to comply with the above requirements in any way is considered an incident. CA providers must report such incidents to the Apple Root Program at certificate-authority-program@apple.com with a full incident report. This report can be shared directly or as a link from a public disclosure (e.g. Bugzilla).