Changes to Trusted Root Certificates in Mac OS Sierra and iOS 10
1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, average: 4.25 out of 5)
Loading...

Changes to Trusted Root Certificates in Mac OS Sierra and iOS 10

Apple’s Latest OS Trusts 165 Root Certificates.

Root Stores are a database of root certificates that a computer “trusts” as an issuer of SSL, Code Signing, and other X.509-standard certificates. This list of roots dictates what certificates your computer will automatically allow a connection with, or “trust.” Certificates originating from a root that is not on this list will have to be manually accepted, and are not practical for use on public websites or services.

These root certificates belong to Certificate Authorities (CAs), which consists of a wide range of organizations, including well-known cyber security companies like Symantec and Comodo, to regional providers and government offices. The average user will only interact with certificates from a handful of these providers. But their devices, and hundreds of millions of other devices around the world still trust these certificates, which is often criticized as a security risk.

Vendors either maintain their own root store, or use an existing one. These root stores often have policies for acceptance, which include yearly audits and compliance reports to show that the CAs are following industry requirements.

Microsoft and Apple maintain their own root stores for their operating systems. Mozilla also operates one used by its Firefox browser and many Linux distributions.

Operating Systems usually make changes to their trusted (and un-trusted) root certificates during major updates. Apple updates their trust store with every major release of Mac OS and iOS.

The newest version of Apple’s Mac OS operating system – Version 10.12, or “Sierra” – was released last week; and iOS 10 was released the week before that.

Oftentimes this means the trusted root store is growing on each and every release. However, with Sierra and iOS 10, Apple’s trust store has actually gotten smaller.

Here are some quick facts about Apple’s trust store:

  • Mac OS and iOS trust 165 root certificates in total. This is 23 fewer total certificates than the previous version (in El Capitan). Only two new roots have been added. (Update: The ISRG Root, used by Let’s Encrypt, was added in a later update).
  • Of the 165 root certificates, 152 use RSA keys and 13 use ECDSA keys. Of the RSA keys, 102 are 2048-bit and 50 are 4096-bit. Twelve of the ECDSA keys are 384-bit and one is 256-bit.
  • Two root certificates expired before Sierra even released. A third is expiring this October. All all three of those CAs (AS Sertifitseerimiskeskus, E-Turga, and BuyPass) have other roots that will remain trusted for some time.
  • On the other end, the longest-living root is owned by Certum and won’t expire until 2046. At least it uses a 4096-bit RSA key…
  • UPDATE: TurkishCA TURKTRUST has announced that they will be suspending their SSL business as a result of not getting their new roots added to Apple’s store. Their current root will expire in December 0f 2017, giving them only one year until their certificates will become inoperable on Apple devices. It is well known within the CA/SSL industry that Apple’s CA program is one of the most difficult programs to work with.

Changes to Apple’s Root Store

These changes are in comparison to the root certificates that were included with the previous version of Mac OS, El Capitan (10.11). The full list of root certificates comes directly from Apple. The certificate data below is directly from these Apple support pages: Roots in Sierra and Roots in El Capitan (with the exception of the “EV Policy” column which has been simplified for formatting). iOS 10 has the same Root Store as Sierra.

Apple’s Root Store has three lists of certificates: Trusted, Always Ask, and Blocked. Always Ask certificates are “untrusted but not blocked. When one of these certificates is used, you’ll be prompted to choose whether or not to trust it.” Blocked certificates are entirely unusable. This latest update has made changes to all three lists.

Without further ado, here are the changes:

Trusted Root Certificates:

Added in Mac OS Sierra/iOS 10

Certificate name Issued by Type Key size Sig alg Serial number Expires EV policy
Certum Trusted Network CA 2 Certum Trusted Network CA 2 RSA 4096 bits SHA-512 21 D6 D0 4A 4F 25 0F C9 32 37 FC AA 5E 12 8D E9 08:39:56 Oct 6, 2046 Yes
OISTE WISeKey Global Root GB CA OISTE WISeKey Global Root GB CA RSA 2048 bits SHA-256 76 B1 20 52 74 F0 85 87 46 B3 F8 23 1A F6 C2 C0 15:10:31 Dec 1, 2039 Yes
ISRG Root X1 ISRG Root X1 RSA 4096 bits SHA-256 00 82 10 CF B0 D2 40 E3 59 44 63 E0 BB 63 82 8B 00 11:04:38 Jun 4, 2035 No

Notes: The ISRG Root (belonging to Let’s Encrypt) was added in an update in version 10.12.1

 

Certum has two “Certum Trusted Network CA 2” root certificates that are identical except for their serial number. In Sierra/iOS 10, one of these roots was swapped for the other. So while this specific certificate is an “addition,” it is not so in the traditional sense.

 

Removed in Mac OS Sierra/iOS 10

Certificate name Issued by Type Key size Sig alg Serial number Expires EV policy
A-Trust-nQual-01 A-Trust-nQual-01 RSA 2048 bits SHA-1 00 E2 42 23:00:00 Nov 30, 2014 Not EV
A-Trust-nQual-03 A-Trust-nQual-03 RSA 2048 bits SHA-1 01 6C 1E 22:00:00 Aug 17, 2015 Not EV
A-Trust-Qual-01 A-Trust-Qual-01 RSA 2048 bits SHA-1 00 E2 43 23:00:00 Nov 30, 2014 Not EV
A-Trust-Qual-02 A-Trust-Qual-02 RSA 2048 bits SHA-1 00 E2 48 23:00:00 Dec 2, 2014 Not EV
AddTrust Qualified CA Root AddTrust Qualified CA Root RSA 2048 bits SHA-1 1 10:44:50 May 30, 2020 Not EV
AddTrust Public CA Root AddTrust Public CA Root RSA 2048 bits SHA-1 1 10:41:50 May 30, 2020 Not EV
AdminCA-CD-T01 AdminCA-CD-T01 RSA 2048 bits SHA-1 1 12:36:19 Jan 25, 2016 Not EV
Application CA G2 Application CA G2 RSA 2048 bits SHA-1 31 14:59:59 Mar 31, 2016 Not EV
Buypass Class 3 CA 1 Buypass Class 3 CA 1 RSA 2048 bits SHA-1 2 14:13:03 May 9, 2015 Yes
CA Disig CA Disig RSA 2048 bits SHA-1 1 01:39:34 Mar 22, 2016 Not EV
Certum Trusted Network CA 2 Certum Trusted Network CA 2 RSA 4096 bits SHA-512 00 B8 59 14 71 3F 57 DF 8F 31 C0 33 3D D2 D6 19 7A 23 17 B4 EB 08:39:56 Oct 6, 2046 Yes
NetLock Kozjegyzoi (Class A) Tanusitvanykiado NetLock Kozjegyzoi (Class A) Tanusitvanykiado RSA 2048 bits MD5 01 03 23:14:47 Feb 19, 2019 Not EV
Secure Certificate Services Secure Certificate Services RSA 2048 bits SHA-1 1 23:59:59 Dec 31, 2028 Not EV
Staat der Nederlanden Root CA Staat der Nederlanden Root CA RSA 2048 bits SHA-1 00 98 96 8A 09:15:38 Dec 16, 2015 Not EV
TC TrustCenter Class 2 CA II TC TrustCenter Class 2 CA II RSA 2048 bits SHA-1 2E 6A 00 01 00 02 1F D7 52 21 2C 11 5C 3B 22:59:59 Dec 31, 2025 Not EV
TC TrustCenter Class 3 CA II TC TrustCenter Class 3 CA II RSA 2048 bits SHA-1 4A 47 00 01 00 02 E5 A0 5D D6 3F 00 51 BF 22:59:59 Dec 31, 2025 Not EV
TC TrustCenter Class 4 CA II TC TrustCenter Class 4 CA II RSA 2048 bits SHA-1 05 C0 00 01 00 02 41 D0 06 0A 4D CE 75 10 22:59:59 Dec 31, 2025 Not EV
TC TrustCenter Universal CA I TC TrustCenter Universal CA I RSA 2048 bits SHA-1 1D A2 00 01 00 02 EC B7 60 80 78 8D B6 06 22:59:59 Dec 31, 2025 Not EV
TC TrustCenter Universal CA II TC TrustCenter Universal CA II RSA 4096 bits SHA-1 19 33 00 01 00 02 28 1A 9A 04 BC F2 55 45 22:59:59 Dec 31, 2030 Not EV
TC TrustCenter Universal CA III TC TrustCenter Universal CA III RSA 2048 bits SHA-1 63 25 00 01 00 02 14 8D 33 15 02 E4 6C F4 23:59:59 Dec 31, 2029 Yes
Trusted Certificate Services Trusted Certificate Services RSA 2048 bits SHA-1 1 23:59:59 Dec 31, 2028 Not EV
TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı RSA 2048 bits SHA-1 1 10:07:57 Sep 16, 2015 Not EV
TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı RSA 2048 bits SHA-1 1 10:27:17 Mar 22, 2015 Not EV
VeriSign Class 4 Public Primary Certification Authority – G3 VeriSign Class 4 Public Primary Certification Authority – G3 RSA 2048 bits SHA-1 00 EC A0 A7 8B 6E 75 6A 01 CF C4 7C CC 2F 94 5E D7 23:59:59 Jul 16, 2036 Not EV

Notes: Certum has two “Certum Trusted Network CA 2” root certificates that are identical except for their serial number. In Sierra/iOS 10, one of these roots was swapped for the other. So while this specific certificate is a “removal,” it is not so in the traditional sense.

Always Ask Certificates

No certificates have been added here. A DigiNotar certificate was moved to the Blocked list.

Removed in Mac OS Sierra/iOS 10

Certificate name Issued by Type Key size Sig alg Serial number Expires EV policy
DigiNotar Root CA DigiNotar Root CA RSA 4096 bits SHA-1 0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C 18:19:21 Mar 31, 2025 Not EV

Blocked Certificates

Added in Mac OS Sierra/iOS 10

Certificate name Issued by Type Key size Sig alg Serial number Expires EV policy
*.sslip.io COMODO RSA Domain Validation Secure Server CA RSA 4096 bits SHA-256 00 EC 60 FA FC A1 CA 06 AE E9 B7 36 48 0A 28 2F AA 23:59:59 Aug 19, 2018 Not EV
Class 3 Public Primary Certification Authority Class 3 Public Primary Certification Authority RSA 1024 bits SHA-1 3C 91 31 CB 1F F6 D0 1B 0E 9A B8 D0 44 BF 12 BE 23:59:59 Aug 2, 2028 Not EV
DigiNotar Root CA DigiNotar Root CA RSA 4096 bits SHA-1 00 E9 41 4E AA 63 E3 65 C4 0A 2F E3 FD 52 2E E2 99 16:27:01 May 14, 2027 Not EV
DigiNotar Root CA DigiNotar Root CA RSA 4096 bits SHA-1 0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C 18:19:21 Mar 31, 2025 Not EV
Egypt Trust Class 3 Managed PKI Enterprise Administrator CA VeriSign Class 3 Public Primary Certification Authority – G3 RSA 2048 bits SHA-1 4C 00 36 1B E5 08 2B A9 AA CE 74 0A 05 3E FB 34 23:59:59 May 17, 2018 Not EV
Egypt Trust Class 3 Managed PKI Operational Administrator CA VeriSign Class 3 Public Primary Certification Authority – G3 RSA 2048 bits SHA-1 3E 0C 9E 87 69 AA 95 5C EA 23 D8 45 9E D4 5B 51 23:59:59 May 17, 2018 Not EV
Egypt Trust Class 3 Managed PKI SCO Administrator CA VeriSign Class 3 Public Primary Certification Authority – G3 RSA 2048 bits SHA-1 12 BD 26 A2 AE 33 C0 7F 24 7B 6A 58 69 F2 0A 76 23:59:59 May 17, 2018 Not EV
The Walt Disney Company Root CA Entrust.net Certification Authority (2048) RSA 2048 bits SHA-1 4C 0E 84 56 22:22:12 Jan 16, 2019 Not EV

 

4 comments
  • This is all great but they broke something with certs that you have trusted. The keychain will not save and does not fully sync with the icloud keychain. I have multiple Apple systems and only the ones updated to Sierra fail to trust certs and never prompt you to save after trusting them each time it pops up on the screen.

    • Hi John, Im also see some issues with importing trusted root certs on Sierra systems. Ive filed a bug report with Apple, but haven’t yet received any reply. Have you found any workaround or fix?

  • Can this be why I can’t enroll the SCCM Client onto my Sierra Macs? It says “certificate has untrusted root”. Has anyone had this specific issue and/or lend some advice? Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha *