Following their 2018 WWDC conference, Apple announced they will begin requiring Certificate Transparency (CT) for all SSL/TLS certificates issued after October 15, 2018.
Certificate Transparency is a recent addition to the SSL ecosystem, first introduced in 2013, which provides transparency by publicly logging SSL certificates. This allows auditors to get a more reliable look at what is being issued by Certificate Authorities and improves public trust and security in the Web PKI system.
Apple’s new policy applies to the entire macOS and iOS platforms, not just the browser. This means CT compliance will be checked in all other contexts where SSL certificates are used to secure a connection, such as in apps, in addition to Safari.
Google, which developed the Certificate Transparency system, recently began requiring CT for all certificates in Chrome this April. All new DigiCert certificates are automatically logged and CT-compliant, and unless you have explicitly opted-out, your certificates will already be compliant with Apple’s requirement as well.
Certificates that aren’t logged will not be trusted and will be treated similar to expired or self-signed certificates, where the browser/app will present an error and refuse to make a connection. Certificates are compliant if they are logged in at least two separate CT logs, with more required for longer-life certificates. Certificate Authorities handle the logging of certificates for their client and will usually embed a type of data called an “SCT” into the certificate as proof it has been logged—in most cases all of this is transparently handled by your provider and adds no additional burden to your certificate provisioning process.
Apple’s policy will not be retroactive. If they haven’t already, certificates issued before October 15, 2018, will not be required to be logged to remain trusted.
Their announcement also included the list of CT logs that will be trusted on their platforms, which has been borrowed from the list trusted by Chrome. Firefox has previously announced their intent to support Certificate Transparency, with no firm date announced. Requiring CT in browsers enhances end-user security by ensuring there are no clients that can be exploited by avoiding logging.