If you ever tried to create a CA and sign an SSL server certificate using macOS Keychain Access you’d be surprised to find that resulting certificate is not a valid SSL certificate anymore due to new requirements in iOS 13 and macOS 10.15.

Issuing a CA Certificate

  • Open Keychain Access, Certificate Assistant, Create a Certificate Authority…
  • Update Name
  • Change User Certificate to SSL Server and do not override defaults

You may need to clean up ~/Library/Application\ Support/Certificate\ Authority as macOS expects generated CAs to have unique names.

Overriding defaults

It’s not recommended to override defaults, it’s way too easy to create a CA that macOS would not like. But in case you want to do it anyway:

Note: While this set of settings works, it’s unclear which parts of this instruction are important and which are not. Try on your own peril.

  • Certificate Information
    • Validity Period has to be ≤824
    • Sign your invitation should not be used
    • You can set any custom Name (Common Name) or other fields there
  • Key Usage Extension For This CA
    • Check This extension is critical
    • Check Key Encipherment
  • Key Usage Extension For Users of This CA
    • Uncheck
  • Extended Key Usage Extension For This CA
    • Check This extension is critical
    • Check SSL Server Authentication
  • Extended Key Usage Extension For Users of This CA
    • Uncheck
  • Basic Constraints Extension For This CA
    • Check Use this certificate as a certificate authority
  • Subject Alternate Name Extension For This CA
    • Uncheck
  • Subject Alternate Name For Users of This CA
    • Uncheck
  • Specify a Location for The Certificate
    • Keychain should be local
    • Check Trust certificates signed by this CA

Double-check CA trust

If your newly created certificate is not trusted (blue plus icon), you need to open it and set Trust | When using this to Always Trust.

Issuing an SSL Certificate

  • Open Keychain Access, Certificate Assistant, Create a Certificate…
  • Update Name
  • Change Identity Type to Leaf
  • Change Certificate Type to SSL Server and click Override defaults

Overriding defaults

You have to override defaults to make this certificate compatible with macOS Catalina.

Note: While this set of settings works, it’s unclear which parts of this instruction are important and which are not. Try on your own peril.

  1. Certificate Information
    • Validity Period can not be ≥825
    • You can set any custom Name (Common Name) or other fields there
  2. Choose An Issuer
    • Pick newly created CA (should be the default one)
  3. Key Usage Extension
    • You can uncheck Include Key Usage Extension, but it’s not required
  4. Extended Key Usage Extension
    • Check Include Key Usage Extension
    • You can uncheck This extension is critical, but it’s not required
    • Don’t check any other Capabilities except SSL Server Authentication
  5. Basic Constraints Extension
    • Leave unchecked
  6. Subject Altenate Name Extension
    • You can uncheck This extension is critical, but it’s not required
    • Input your DNS names, may include * at the beginning for wild cards and can have many domains comma-separated. This is a required field.
    • Do not use iPAddress field
  7. Keychain
    • login