Ask questions"Certificate not standards compliant" on macOS Catalina, iOS 13

Certificates generated after July 1st, 2019 by versions of mkcert prior to v1.4.0 will not work on macOS 10.15 Catalina and iOS 13. Please update mkcert and regenerate the affected certificates.

The root CA is unaffected and there is no need to rerun mkcert -install.

— @FiloSottile

Under MacOS Catalina Public Beta 2, after installing mkcert via Homebrew and running the root certificate installer, my mkcert generated certificates are rejected in Safari with the message 'Certificate is not standards compliant' and in Chrome with 'ERR_CERT_REVOKED'.


Answer questions FiloSottile

Looks like it's a new limit on maximum lifespan. See

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

It's surprising they would enforce it on private roots, honestly.

I am mildly tempted to fake the notBefore, but one way or another I need to fix it soon, or a bunch of certificates will be generated that will stop working after updating to Catalina.

BTW, if you try Chrome Canary it should give you a better error message.

Filippo Valsorda FiloSottile @Google, Go team Manhattan, NYC Cryptogopher. Go security lead. @recursecenter alum. RC F'13, F2'17.
Github User Rank List