Certificate Transparency

When an iOS device establishes a connection to a server, the server’s TLS certificate undergoes evaluation based on Apple’s Certificate Transparency requirement. This evaluation decides whether to trust the certificate. When servers exposed to the internet have their certificates submitted to a public log, they automatically fulfill Apple’s Certificate Transparency requirement. However, the situation is different for internal servers not exposed to the internet. Since these servers lack a submission on the public log, they do not meet the Certificate Transparency requirement. Your iOS devices may experience trust failures when connecting to those internal servers. This profile configuration enables you to disable the Certificate Transparency requirements for your internal servers and internal domains so your iOS devices can connect to them. For more information, see CertificateTransparency.

You do this when:

Restriction:
  • This configuration is available to iOS 12.1.1+ devices.
  • You must add at least one certificate or domain.
Feature Details
Disable Transparency for Certificates Select Add and enter a private, untrusted certificate hash. The hash is the DER-encoding of the certificate's subjectPublicKeyInfo. The format of the hash must be Base64 encoded (binary) SHA-256.
Restriction: You can not add identical hashes.

Your iOS devices skips the Certificate Transparency check for the added certificate hash.

Disable Transparency for Domains Select Add and enter a web address of a domain.

Your iOS devices skips the Certificate Transparency check for the added domain.