We've had no end of troubles using Safari with internal CAs for internal applications. Every other reasonably-modern browser works fine, but Safari gives us "Safari can't open the page <URI> because Safari can't establish a secure connection to the server <HOST>."
I've not been able to find a list of the specific requirements that Safari has for allowing secure connections, and there doesn't seem to be a way to get a more useful error message out of Safari (does nobody believe in good error reporting anymore?).
Our servers are compatible through TLS1.3 and support reasonably modern encryption suites. We do use long-lived certificates on internal hosts, but my understanding is that Safari should be accept this with private CAs (and some of these hosts have zero support for certificate automation, handling this manually would be an obscene amount of work, and if a threat actor can pull private keys off of them then they already have root and this isn't solving anything).
Is this documented anywhere, and if so could somebody please be kind enough to point me in that direction?