Apple's status page is showing no problems (all green).
This is a really bad look for Apple.
OpenSSL can't validate the cert because it contains a critical extension it doesn't recognize — specifically 1.2.840.113635.100.6.27.3.2, which is an Apple-proprietary OID marked as critical. Per X.509 rules, if a client encounters an unrecognized critical extension, it must reject the cert.
That said, this is likely intentional on Apple's part — browsers and Apple's own TLS stack (SecureTransport/Network.framework) almost certainly know how to handle this extension. It's a private Apple CA (Apple Server Authentication CA) signing an Apple-internal service endpoint, so it's designed to work within Apple's ecosystem rather than with generic OpenSSL.
In practice:
- Works fine in Apple clients (Safari, curl on macOS using the system TLS stack, iOS apps)
- Fails with raw OpenSSL or other non-Apple TLS implementations
- Not a misconfiguration — it's Apple intentionally using a proprietary critical extension on their private PKIThe intermittent 502s on the other hand are an issue.
Are you serious Apple?
Issued On Wednesday, January 21, 2026 at 9:47:41 AM
Expires On Wednesday, February 17, 2027 at 10:28:16 AM
This is worse than Github being down and Apple Developers who pay 99$ a year for the privilege of writing software on this ecosystem aren't event getting a status page update: https://developer.apple.com/system-status/
I'm looking for a job shoveling pig shit as we speak.
What genuinely pisses me off is that this isn't noted on their status page, nor is it indicated at all when you, I dunno, revoke and generate certs repeatedly trying to solve a problem you didn't fucking cause.
[edit] And FreeUSATax portal. Solar cone today?
edit: working now