Tag Archives: Certificate

Maximum Allowed HTTPS Certificate Validity

When creating self-signed certificates I ran into the issue that especially Safari did not accept the certificate with a rather unspecific “Certificate not standards compliant” message. It turns out, the maximum allowed validity was reduced over time by the different web browser vendors. Shortest times are apparently used by Apple’s Safari.

Current (mid 2021) limits are the following:

For any certificate that is signed by an certification authority, for which the root certificate is supplied with the operating system, the maximum allowed validity is 398 days (for all certificates created after Sept. 1, 2020).

For self-signed certificates, i.e. if you create your own CA certificate and assign the trust yourself (or your organization), the maximum allowed validity is 825 days.

Background

Certification authorities need to provide a way to revoke certificates before the end of their validity, e.g. when a certificate was issued by mistake or if the private key was exposed to the public. Often these revocations are still handled by revocation lists (although mechanism like OCSP/OCSP stapling provide more elegant solutions).

If those lists become long, it may require a long time to download the referred to list, which becomes a problem for the user experience, because the requested web page cannot be displayed before the certificate validity is checked.

This can especially become a problem, when mass revocations become necessary. Such mass revocations occurred in the past, e.g. when a frequently used library potentially exposed the private key or when a commonly used random number generator did not produce sufficient randomness, which allowed guessing private keys.

References