Appendix E - Trusted Certificates for macOS 10.15+

All TLS server (SAM, Snare Central or any other network destination) certificates must comply with these new security requirements in macOS 10.15 (https://support.apple.com/en-us/HT210176):

• TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
• TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
• TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

• TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
• TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

If 'strict certificate checking' is enabled in Snare agent, then connections to TLS servers violating these new requirements will fail and will cause network connection to drop in macOS 10.15.

Follow these steps to create a SSL certificate that will comply with these requirements:

• Copy the following text into an empty text file and save it as .conf file

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = www.company.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.company.com
DNS.2 = company.com
DNS.3 = www.company.net
DNS.4 = company.net

• Now make changes as per the Server machine. The *most* important properties are CN and DNS.x.
• For example, if the Server name is testserver then the .conf file will look like as following

....

CN = testserver.domain.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = testserver.domain.com
DNS.2 = testserver.domain
DNS.3 = testserver

• Now run the following command to generate the .CSR file from the .conf file.

openssl req -new -out company_san.csr -newkey rsa:2048 -nodes -sha256 -keyout company_san.key.temp -config req.conf

• The above step will also create the private key fle company_san.key.temp
• Run following command to validate the .csr file and make sure there is no error reported

openssl req -text -noout -verify -in company_san.csr

• Specifically check that the CN and 'Subject Alternative Name' are correct and corresponds to the server machine. Without 'Subject Alternative Name' the certificate checking will fail on macOS 10.15+
• Now get certificate from your root Certificate Authority (CA) using .csr file
• Once you get certificate .cer file from root Certificate Authority (CA) then run following command to combine private key file company_san.key.temp and server certificate .cer into a single .pfx File

openssl pkcs12 -inkey company_san.key.temp -in certificate.cer -export -out certificate.pfx

• Next install the certificate.pfx on server machine
• Double click certificate.pfx file
• Select "System" from Keychain drop-down box and press Add
• Open "Keychain" app
• Go to 'System' keychain and Select the option 'Certificates' from category
• Your certificate will be shown
• Double click the certificate and go to 'Trust'
• Select 'Always Trust' from the drop-down box 'When using this certificate' and close the box from left (it must ask for admin password)
• Install the Certificate Authority (CA) root certificate in keychain on Snare agent machine (if not already installed)