Request for Documentation: Instructions for how to verify your TLS certificates are compatible with iOS 13/macOS 10.15

[justinegeffen]

Apple is changing requirements for their certs, so customers will need to verify them. Below is the proposed text:

---

Verifying SSL Certificates for iOS 13 and macOS 10.15

Apple is making the requirements for valid TLS certificates stricter in iOS 13 and macOS 10.15. The key changes are:

• TLS certificates and the issuing CAs using RSA must have minimum 2048 bit key size
• TLS certificates and the issuing CAs must use a SHA-2 hash algorithm
• TLS certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate and not the CommonName of the certificate

How to check your certificates

Let’s Encrypt

If you are using Let’s Encrypt to generate your certificates then your certificates are already compatible with these changes

SSL Labs

If your Mattermost server is available over the Internet you can use SSL labs to check your certificates

1. Go to https://www.ssllabs.com
2. Enter your Mattermost server URL and click “Test”

Once the test is complete, verify that your certificate matches the requirements:

OpenSSL (CLI)

If your Mattermost server is not publicly accessible, use the openssl command to check the certificates. This is available in most Linux package managers, and these commands can be run from any system that has access to the Mattermost server or the reverse proxy

1. Use this command to check the key length:

   
   openssl s_client -connect community.mattermost.com:443 | grep "Server public key is"
   Which will return something like this:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = community.mattermost.com verify return:1 Server public key is 2048 bit Verify that the key is 2048 bit or higher.

Use this command to check the signature algorithm: openssl s_client -connect community.mattermost.com:443 | grep "Peer signing digest:" Which will return something like this:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = community.mattermost.com verify return:1 Peer signing digest: SHA256 Verify that the Peer signing digest is SHA256, SHA2, or SHA384

Use this command to check the Subject Alternative Name: openssl s_client -connect community.mattermost.com:443 | openssl x509 -noout -text | grep DNS: It will return this:

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = community.mattermost.com verify return:1 DNS:community.mattermost.com Verify that the last line matches your Mattermost server domain

openssl s_client -connect :443 For example, this will check the certificate for the Mattermost Community Server:

$ openssl s_client -connect community.mattermost.com:443

See the original post here.

This issue was generated from Mattermost using the Doc Up plugin.

Original issue: https://github.com/mattermost/mattermost-server/issues/13990.

[justinegeffen]

If you're interested in taking on this documentation request, let us know by commenting on the issue. The submitter of this issue (@icelander) can confirm the pages that need to be updated.

• If you're a new contributor take a look through the Technical Writing Handbook to learn more about our processes.

• For technical advice or questions, please join our Developers community channel..

• For stylistic, formatting, or other questions join the Documentation community channel.

We look forward to your contribution!