The payload that configures certificate transparency enforcement.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
Disabled Certs DisabledForCerts An array of certificates for which certificate transparency is disabled. One of the following conditions needs to be met to disable certificate transparency enforcement when this policy is set:
- The hash is of the server certificate's `subjectPublicKeyInfo`.
- The hash is of a `subjectPublicKeyInfo` that appears in a CA certificate in the certificate chain; the CA certificate is constrained through the X.509v3 `nameConstraints` extension. One or more `directoryName` `nameConstraints` are present in the `permittedSubtrees`, and the `directoryName` contains an `organizationName` attribute.
- The hash is of a `subjectPublicKeyInfo` that appears in a CA certificate in the certificate chain. The CA certificate has one or more `organizationName` attributes in the certificate `Subject`, and the server's certificate contains the same number of `organizationName` attributes, in the same order, and with byte-for-byte identical values. 1 subkey | array | optional | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) |
└─ SubjectPublicKeyInfoHashDict SubjectPublicKeyInfoHashDict A dictionary of hashed public keys. 2 subkeys | dictionary | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) | |
└─ └─ Algorithm Algorithm The algorithm must be `sha256`. | string | required | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) |
└─ └─ Hash Hash The hash of the DER-encoding of the certificate's `subjectPublicKeyInfo`.
The hash field requires the data (`subjectPublicKeyInfo` hash) in a specific format: a Base64 encoded (binary) SHA-256 hash of the certificate's public key. | data | required | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) |
Disabled domains DisabledForDomains An array of strings that represent the domains to exclude from certificate transparency enforcement. The system supports using a leading period (`.`) to signify subdomains. However, the system doesn't support wildcards. If you include a leading period, the domain can't be a top-level domain, such as `.com` and `.co.uk`. 1 subkey | array | optional | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) |
└─ domain domain | string | — | ✓Yes | iOS (12.1.1+)macOS (10.14.2+)tvOS (12.1.1+)visionOS (1.0+)watchOS (5.1.1+) |
