How To Generate a Self Signed Root CA That Includes Extended Key Usage (EKU) from the CLI on macOS.

How To Generate a Self Signed Root CA That Includes Extended Key Usage (EKU) from the CLI on macOS.

Created On 03/25/21 22:29 PM - Last Modified 01/27/22 03:43 AM

  • For most mid/small market networks with no enterprise certificates, there is a need to generate their own Root CA,s.
  • Apple iOS13 and macOS 10.15 new security requires all TLS server certificates to contain an ExtendedKeyUsage (EKU) containing the id-kp-serverAuth OID.
  • Any connections to TLS servers that violate this requirement (for the purpose of decryption for instance) will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.
  • The objective here is to instruct readers how to install a proper Self-Signed Root CA with EKU containing the id-kp-serverAuth OID.

  • Apple devices with iOS13 or macOS 10.15
  • Palo Alto Networks NGFW which utilizes decryption

  1. Create a file named "cert_config" with the content below:
    [ req ]
    prompt             = no
    distinguished_name = my dn
    [ my dn ]
    # The bare minimum is probably a commonName
    commonName =
    countryName = XX
    localityName = Fun Land
    organizationName = MyCo LLC LTD INC (d.b.a. OurCo)
    organizationalUnitName = SSL Dept.
    stateOrProvinceName = YY
    emailAddress =
    name = John Doe
    surname = Doe
    givenName = John
    initials = JXD
    dnQualifier = some
    [ my server exts ]
    extendedKeyUsage =
    # can also be spelled serverAuth:
    # extendedKeyUsage = serverAuth
    # see x509v3_config for other extensions
  2. Use openssl to generate the certificate:
    $ openssl req -x509 -config cert_config -extensions 'my server exts' -nodes -days 365 -newkey rsa:4096 -keyout myserver.key -out myserver.crt
Source: How to Add EKU String when Generating a Self-Signed Certificate

Note: One needs the full chain of custody of certs (CA, client cert w/ private key) on a machine for this to function.

Additional Information
  • To learn more about Apple's new security requirements for TLS server certificates in iOS 13 and macOS 10.15, click here.
  • This guide demonstrates how to act as your own certificate authority (CA) using the OpenSSL command-line tools.  
  • You can also follow this topic or add to it by joining our LIVE Community discussion post.  
  • To learn more about generating a new self-signed SSL certificate on the Palo Alto Networks firewall GUI, please see the following article.

NoteThis article is written for informational purposes only. Palo Alto Networks does not support any third-party operating systems.

  • Print
  • Copy Link

Choose Language