Knowledge Base

Description

Following a previous update, on September 10, 2021, Apple released an update to macOS, iOS, and iPadOS systems to fully distrust and remove some of the Symantec and Verisign roots listed under Affected Certificates from the Apple ecosystem.

On January 31, 2022, Apple plans to release another update to macOS, iOS, and iPadOS systems to fully distrust and remove five more Symantec and Verisign roots listed under Affected Certificates from the Apple ecosystem.

Note: Removing root certificates blocks the certificates chained to roots and prevents them from functioning as expected on Apple devices. It also prevents you from reinstalling the "removed" root certificates on an Apple device.

How does this affect my certificates?

• Certificates chained to the Symantec and Verisign roots are no longer trusted on Apple devices.
• Email, code, documents, and other file types signed with client, S/MIME, code signing, and document signing certificates issued from those roots will not be trusted on Apple devices.
• The effects may extend beyond distrust as the cryptographic functions (the ability to decrypt an encrypted message) are also blocked.
   

Note: These same certificates will continue to function as expected on other operating systems and devices. To recover encrypted data, you'll need to access it from other systems or non-Apple devices.

If your application uses certificates signed with a distrusted chain and utilizes an application or certificate injection process outside the Apple Developer Certificate process, you will need to update to a trusted certificate chain, including systems that support application updating across shared device platforms.

In these situations, the result of the Apple Services API call (SecTrustEvaluate) results in an error related to "kSecTrustResultFatalTrustFailure." This error message indicates that the certificate and chain have been blocked or misinterpreted by the system.  

Background

In 2018, Apple announced that it would move forward with a partial distrust of Symantec and Symantec brand root certificates. The complete distrust of some of the roots was planned for February 25, 2020. At the same time, other roots were planned to be distrusted in 2023.

However, some parts of this process have been delayed, and other parts are being accelerated. Apple completed the full root certificate distrust. However, root removal and subsequent certificate distrust have just begun.

Note: Root certificate removal results in errors when attempting to run applications signed with the affected certificates.

When will distrust start?

• On September 10, 2021, Apple distrusted several Symantec and VeriSign roots.  Apple's root removal for these roots was not something new. They have been planning it since 2017 and were expected to roll out these changes in April 2021.
• On January 31, 2022, Apple will distrust five more Symantec and VeriSign roots. Apple is accelerating the removal of these five roots. These root certificates were initially scheduled to be distrusted in 2023.

Affected Certificates

January 31, 2022, Root Distrust

• VeriSign Class 1 Public Primary Certification Authority – G3
• VeriSign Class 2 Public Primary Certification Authority - G3
• Symantec Class 1 Public Primary Certification Authority – G6
• Symantec Class 2 Public Primary Certification Authority – G6
• VeriSign Universal Root Certification Authority

September 10, 2021, Root Distrust

• VeriSign Class 3 Public Primary Certification Authority - G4
• VeriSign Class 3 Public Primary Certification Authority - G5
• Symantec Class 3 Public Primary Certification Authority - G4
• Symantec Class 3 Public Primary Certification Authority - G6
• GeoTrust Global CA
• thawte Primary Root CA
• GeoTrust Primary Certification Authority
• thawte Primary Root CA - G2
• thawte Primary Root CA - G3
• GeoTrust Primary Certification Authority - G2
• GeoTrust Primary Certification Authority - G3
• Symantec Class 1 Public Primary Certification Authority - G4
• Symantec Class 2 Public Primary Certification Authority - G4
• VeriSign Class 3 Public Primary Certification Authority - G3

Frequently Asked Questions (FAQ)

What is happening now?

• Apple distrusted several root certificates on September 10, 2021; see Affected Certificates above.
• Apple will distrust five more root certificates on January 31, 2022; see Affected Certificates above.

Each phase begins by removing the root certificates from certificate stores in iOS, iPadOS, and macOS and then blocks these root certificates from being manually installed on Apple devices or the Apple PKI library.

What has changed? 

We previously communicated the distrust timeline for root certificates and posted it in our Symantec Root Removal KB. However, we have additional information regarding the changes as further updates have been provided by Apple. Apple is accelerating their project to remove five more Symantec roots (including VeriSign) on January 31, 2022, instead of 2023.

Is this different than the previous distrust activities?

Each root store is implementing the removal of the Symantec roots in a different manner:

• Some root stores are removing the root certificates outright. 
• Other root stores are implementing a notBefore date that removes trust from certificates issued from these roots after that date.  

Apple is removing and blocking the issuing CAs chaining to these roots in their root stores. Removing the roots means all certificates issued from those roots and all objects signed from certificates issued off those roots will no longer be trusted on macOS and iOS. Blocking means the root certificates cannot be reinstalled on Apple devices or the Apple PKI library.

So, if your implementation requires Apple trust, you must reissue certificates using the DigiCert hierarchy and resign objects (code, document, email, etc.).  

Why do I need to worry about my expired certificate? They most likely aren't needed and can't be used? 

When you use a certificate to sign objects, the signature can remain valid after the certificate used to sign the object expires.

For example, if you include a valid timestamp with your signature, the signature remains valid as long it can connect to the root certificate it was issued under. The timestamp relies on the root certificate to validate the signed object, not the expired certificate used to sign it.

Because Apple is removing the roots, the signatures can no longer connect to the root certificate from Apple devices. When the signature can't reach the root, it fails the validation of the certificate chain. Once Apple removes the roots, the signed objects may stop functioning as expected. 

Note: The Apple removal also blocks you from manually installing the root certificate in your Apple ecosystem, including the use of cross-chained intermediates that chain back to the Symantec and VeriSign root chains.   

For expired certificates, will I need a new certificate to resign objects?

Yes, you will need a new, trusted certificate. With timestamped signatures no longer recognized, you will need to resign the code with a certificate issued from a trusted root to re-establish trust for your applications.

Note: We recommend that you sign with ONLY a trusted chain instead of signing the already signed code (using a legacy chain) with a second signature from a trusted chain.