All Products
Search

This Product

    Certificate Management Service:Select and configure certificates for Apple ATS

    Document Center

    Certificate Management Service:Select and configure certificates for Apple ATS

    Last Updated:Mar 31, 2026

    Since January 1, 2017, Apple requires all iOS apps to use App Transport Security (ATS), which enforces HTTPS for all network communication. To pass ATS validation, your certificate and web server must meet specific cryptographic requirements.

    Alibaba Cloud CDN and Server Load Balancer (SLB) are already configured to meet ATS requirements.

    Certificate requirements

    The following table summarizes what ATS requires of your certificate and server configuration.

    RequirementDetails
    Certificate authority (CA)Use an organization validated (OV) or extended validation (EV) certificate from GlobalSign.

    We recommend that you use OV or EV digital certificates from GlobalSign.

    Hash algorithmSHA-256 or stronger. GlobalSign and Entrust certificates meet this requirement.
    Key length2048-bit RSA or stronger. If you select Automatic for CSR generation, the system generates a 2048-bit RSA key automatically. If you select Manual, use 2048-bit or stronger.
    TLS protocolTLS 1.2 must be enabled on your web server. See Server TLS 1.2 requirements.
    Cipher suitesAt least one ATS-accepted cipher suite must be enabled. See Accepted cipher suites.

    Server TLS 1.2 requirements

    TLS 1.2 support depends on your web server software and version. The following table lists the minimum version required for each server type.

    ServerMinimum version for TLS 1.2Notes
    Apache HTTP Server / NGINXOpenSSL 1.0OpenSSL 1.0.1 or later is recommended.
    TomcatTomcat 7 + JDK 7.0
    JRE-based serversJDK 1.7
    OpenSSL (standalone)OpenSSL 1.0OpenSSL 1.0.1 or later is recommended.
    IIS 7.5Any versionTLS 1.2 is disabled by default. See Enable TLS 1.2 on IIS 7.5.
    IBM Domino Server9.0.1 FP3IBM Domino 9.0.1 FP5 or later is recommended.
    IBM HTTP Server8.0IBM HTTP Server 8.5 or later is recommended.
    WebLogic10.3.6 (requires Java 7+)WebLogic 10.3.6 has known SHA-256 compatibility issues. WebLogic 12 or later is recommended. If you must use 10.3.6, add a frontend Apache or NGINX HTTPS proxy, or use a frontend load balancer.
    WebSphereV7.0.0.23, V8.0.0.3, or V8.5.0.0See Configure WebSphere to use TLS 1.2.

    For web servers other than IIS 7.5 and WebLogic 10.3.6, TLS 1.2 is enabled by default if your server version meets the minimum requirements listed above.

    Enable TLS 1.2 on IIS 7.5

    TLS 1.2 is disabled by default on IIS 7.5. To enable it:

    1. Download and import the ATS registry script.

    2. Restart or log off from your web server to apply the change.

    For a guided walkthrough, see Enabling TLS 1.2 on IIS 7.5 for 256-bit cipher strength. Alternatively, use the IIS Crypto visual tool to configure cipher suites and protocols without editing the registry manually.

    Accepted cipher suites

    ATS requires all accepted cipher suites to support forward secrecy, which prevents recorded traffic from being decrypted if the server's private key is later compromised. All accepted suites use ECDHE key exchange for this reason.

    Enable at least one of the following cipher suites on your web server:

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

    Configuration examples

    The following examples show the ATS-relevant attributes for NGINX and Tomcat. In a production environment, configure all attributes based on your server's requirements — not only the ones shown here.

    NGINX

    The ssl_ciphers and ssl_protocols directives control which cipher suites and TLS versions are accepted.

    server {
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
}

    Tomcat

    The ciphers, SSLProtocol, and SSLCipherSuite attributes in the <Connector> element control the cipher suites and protocols.

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
    scheme="https" secure="true"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
    SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4" />

    Verify ATS compliance

    After configuring your server, run the following command on macOS to check whether your endpoint passes ATS validation:

    nscurl --ats-diagnostics --verbose <URL>