Tell HN: Apple development certificate server seems down?

Source: Hacker News

Explanation

OpenSSL can’t validate the certificate because it contains a critical extension it doesn’t recognize — specifically 1.2.840.113635.100.6.27.3.2, an Apple‑proprietary OID marked as critical. According to X.509 rules, if a client encounters an unrecognized critical extension, it must reject the certificate.

That said, this is likely intentional on Apple’s part. Browsers and Apple’s own TLS stack (SecureTransport/Network.framework) almost certainly know how to handle this extension. It’s a private Apple CA (Apple Server Authentication CA) signing an Apple‑internal service endpoint, so it’s designed to work within Apple’s ecosystem rather than with generic OpenSSL.

In practice

- Works fine in Apple clients (Safari, curl on macOS using the system TLS stack, iOS apps)
- Fails with raw OpenSSL or other non‑Apple TLS implementations
- Not a misconfiguration — Apple is intentionally using a proprietary critical extension on their private PKI