jeans/home-assistant.io
jeans/home-assistant.io
1
0
Fork 0
mirror of https://github.com/home-assistant/home-assistant.io.git synced 2025-07-16 05:46:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add iOS/macOS certificate requirements (#11157)

Browse Source
This commit is contained in:
James Goodhouse 2019-11-11 23:28:43 -08:00 committed by Fabian Affolter
parent d1732f8880
commit 66fddef70f
1 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
source/_docs/ecosystem/certificates/tls_self_signed_certificate.markdown
View File

@ -14,12 +14,6 @@ Change to your Home Assistant [configuration directory](/getting-started/configu
The certificate **must** be `.pem` extension.
If you are going to use this certificate with the iOS app, you need to ensure you complete **all** fields during the certificate creation process, then:
* Send **only** the `certificate.pem` file to the iOS device, using airdrop or other transfer method.
* Open the `.pem` file on the iOS device, follow the prompts to trust and install it.
* If you are using iOS 10.3 or newer then [additional steps](https://support.apple.com/en-us/HT204477) are needed.
```bash
openssl req -sha256 -newkey rsa:4096 -nodes -keyout privkey.pem -x509 -days 730 -out certificate.pem
```
@ -46,3 +40,23 @@ sudo chmod 755 certificate.pem privkey.pem
```
A tutorial "[Working with SSL Certificates, Private Keys and CSRs](https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs)" could give you some insight about special cases.
### iOS and macOS Specific Requirements
#### iOS
If you are going to use this certificate with the iOS app, you need to ensure you complete **all** fields during the certificate creation process, then:
* Send **only** the `certificate.pem` file to the iOS device, using airdrop or other transfer method.
* Open the `.pem` file on the iOS device, follow the prompts to trust and install it.
* If you are using iOS 10.3 or newer then [additional steps](https://support.apple.com/en-us/HT204477) are needed.
#### iOS 13 and macOS 10.15
There are [new security requirements](https://support.apple.com/en-us/HT210176) for TLS server certificates in iOS 13 and macOS 10.15. To summarize:
* The key size must be greater than or equal to 2048 bits.
* A hash algorithm from the SHA-2 family is required. SHA-1 signed certificates are no longer trusted for TLS.
* The DNS name of the server must be included in the Subject Alternative Name extension of the certificate.
* For certificates issued after July 1, 2019:
* Certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
* Certificates must have a validity period of 825 days or fewer.