Starting in macOS 10.14.2 publicly-trusted Transport Layer Security (TLS) server authentication certificates issued after October 15, 2018 must meet Apple's Certificate Transparency (CT) policy to be evaluated as trusted. Please see Knowledge Base article HT205280 for details on Apple's Certificate Transparency policy.
10.14.2 will likely be out mid-December and presumedly the same changes will show up in Security updates for 10.12 and 10.13.
What is Certificate Transparency?
- Short answer: It’s a way to make sure incorrectly issued certificates are not used.
- Long answer: http://www.certificate-transparency.org/what-is-ct
It also shouldn’t matter for internal-only certificates. See, How will Certificate Transparency affect existing Active Directory Certificate Services environments?
That said, until Apple turns on these controls we can’t say for sure how it will impact users, so it’s something to consider when the end of the year rolls around if users report they are getting warnings when trying to access certain sites.
You can tell if a site’s SSL cert has certificate transparency enabled by looking for the Object Identifier “220.127.116.11.4.1.1118.104.22.168” or “Embedded Signed Certificate Timestamp List”
What it looks like in Safari: