{"id":1459,"date":"2021-05-26T18:37:10","date_gmt":"2021-05-26T16:37:10","guid":{"rendered":"https:\/\/macadmin.cz\/?p=1459"},"modified":"2021-05-26T18:37:11","modified_gmt":"2021-05-26T16:37:11","slug":"allowed-lifetime-of-certificates-issued-by-internal-ca","status":"publish","type":"post","link":"https:\/\/macadmin.cz\/?p=1459&lang=en","title":{"rendered":"Allowed lifetime of certificates issued by internal CA"},"content":{"rendered":"\n

Last year Apple forced the industry to only accept TLS certificates with validity up to maximum of 398 days. This is documented in HT211025<\/a> article. However there is a note explicitly excluding the certificate issued by an internal CA:<\/p>\n\n\n\n

This change will not affect certificates issued from user-added or administrator-added Root CAs.<\/p><\/blockquote>\n\n\n\n

Because of this I assumed I could get away with 3 year validity for a certificate issues by our new internal CA. Turns out I was wrong. <\/p>\n\n\n\n

Safari 14.1.1 refuses to connect to a site with freshly issued 3-year TLS certificate. So does Chrome 91 but it is more informative about it and presents an error message: NET::ERR_CERT_VALIDITY_TOO_LONG<\/code>.

Previous change of TLS certificate requirements from 2019 described in article HT210176<\/a> article limits the certificate validity to 825 days. There aren’t any exception listed in this articles. Would Safari and Chrome trust certificate with 2-year validity?

Yes. Both Safari (14.1.1) and Chrome (91) in macOS 11.4 accept the 2-year certificate signed by internal CA as secure.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Last year Apple forced the industry to only accept TLS certificates with validity up to maximum of 398 days. This is documented in HT211025 article. However there is a note explicitly excluding the certificate issued by an internal CA: This change will not affect certificates issued from user-added or administrator-added Root CAs. Because of this … <\/p>\n

Continue reading “Allowed lifetime of certificates issued by internal CA”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1459","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts\/1459","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1459"}],"version-history":[{"count":3,"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts\/1459\/revisions"}],"predecessor-version":[{"id":1463,"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts\/1459\/revisions\/1463"}],"wp:attachment":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}