The payload that configures Automated Certificate Management Environment (ACME) settings.
iOSmacOStvOS
macOS 13.1+iOS 16.0+
Configuration Keys (12)
Key
Type
Title
Description
Default
Range
DirectoryURLrequired
string
ACME directory URL
The directory URL of the ACME server. The URL must use the https scheme.
—
—
ClientIdentifierrequired
string
Client identifier
A unique string identifying a specific device. The server may use this as an anti-replay code to prevent issuing multiple certificates. This identifier also indicates to the ACME server that the device has access to a valid client identifier issued by the enterprise infrastructure. This can help the ACME server determine whether to trust the device. Though this is a relatively weak indication because of the risk that an attacker can intercept the client identifier.
—
—
KeySizerequired
integer
Key Size
The valid values for 'KeySize' depend on the values of 'KeyType' and 'HardwareBound'. See those keys for specific requirements.
—
—
KeyTyperequired
string
Key Type
The type of key pair to generate. Allowed values:
- 'RSA': Specifies an RSA key pair. RSA key pairs need to have a 'KeySize' that's a multiple of 8 in the range of 1024 through 4096 (inclusive), and 'HardwareBound' needs to be 'false'.
- 'ECSECPrimeRandom': Specifies a key pair on the P-192, P-256, P-384, or P-521 curves as defined in FIPS Pub 186-4. 'KeySize' defines the particular curve, which needs to be '192', '256', '384', or '521'. Hardware bound keys only support values of '256' and '384'.
Note:
The key size is '521', not '512', even though the other key sizes are multiples of 64.
—
HardwareBoundrequired
boolean
Hardware Bound
If 'false', the private key isn't bound to the device.
If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This prevents the system from exporting the private key.
If 'true', 'KeyType' must be 'ECSECPrimeRandom' and 'KeySize' must be 256 or 384.
Setting this key to 'true' is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of 'false'.
—
—
Subjectrequired
array
Subject
The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The representation of a X.500 name represented as an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
'[ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], ..., [ [ "1.2.5.3", "bar" ] ] ]'
Dotted numbers can represent OIDs , with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).
—
—
SubjectAltName
dict
Subject Alt Name
The Subject Alt Name that the device requests for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
—
—
UsageFlags
integer
Key Usage
This value is a bit field.
- Bit '0x01' indicates digital signature.
- Bit '0x04' indicates encryption.
The device requests this key for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
—
—
ExtendedKeyUsage
array
Extended Key Usage
The value is an array of strings. Each string is an OID in dotted notation. For instance, '["1.3.6.1.5.5.7.3.2", "1.3.6.1.5.5.7.3.4"]' indicates client authentication and email protection.
The device requests this field for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
—
—
Attest
boolean
Attest
If 'true', the device provides attestations that describe the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate.
When 'Attest' is 'true', 'HardwareBound' also needs to be 'true'.
Setting this key to 'true' is supported as of macOS 14. Older macOS versions require this key but it must have a value of 'false'. See below for hardware requirements.
false
—
KeyIsExtractable
boolean
Key Is Extractable
If 'true', the private key of the identity obtained through Automated Certificate Management Environment (ACME) needs to be tagged as "non-extractable" in the keychain.
true
—
AllowAllAppsAccess
boolean
Allow All Apps Access
If 'true', all apps have access to the private key.
false
—
ACMESubjectArrayInnerArray
array
Array Inside ACME Subject Array
—
—
—
ACMESubjectArrayPair
array
Subject Array Pair
—
—
—
ACMESubjectArrayPairItem
string
ACME Subject Array Pair Item
—
—
—
rfc822Name
string
RFC 822 Name
The RFC 822 (email address) string.
—
—
dNSName
string
DNS Name
The DNS name.
—
—
uniformResourceIdentifier
string
URI
The Uniform Resource Identifier.
—
—
ntPrincipalName
string
NT Principal Name
The NT principal name. Use an other name OID set to '1.3.6.1.4.1.311.20.2.3'.