{"id":137,"date":"2021-08-27T21:07:06","date_gmt":"2021-08-27T19:07:06","guid":{"rendered":"https:\/\/admin-log.net\/?p=137"},"modified":"2021-08-28T13:56:52","modified_gmt":"2021-08-28T11:56:52","slug":"maximum-allowed-https-certificate-validity","status":"publish","type":"post","link":"https:\/\/admin-log.net\/index.php\/2021\/08\/27\/maximum-allowed-https-certificate-validity\/","title":{"rendered":"Maximum Allowed HTTPS Certificate Validity"},"content":{"rendered":"\n<p>When creating self-signed certificates I ran into the issue that especially Safari did not accept the certificate with a rather unspecific &#8220;Certificate not standards compliant&#8221; message. It turns out, the maximum allowed validity was reduced over time by the different web browser vendors. Shortest times are apparently used by Apple&#8217;s Safari.<\/p>\n\n\n\n<p>Current (mid 2021) limits are the following:<\/p>\n\n\n\n<p>For any certificate that is signed by an <strong>certification authority<\/strong>, for which the root certificate is supplied with the operating system, the maximum allowed validity is <strong>398 days<\/strong> (for all certificates created after Sept. 1, 2020).<\/p>\n\n\n\n<p>For <strong>self-signed certificates<\/strong>, i.e. if you create your own CA certificate and assign the trust yourself (or your organization), the maximum allowed validity is <strong>825 days<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Background<\/h2>\n\n\n\n<p>Certification authorities need to provide a way to revoke certificates before the end of their validity, e.g. when a certificate was issued by mistake or if the private key was exposed to the public. Often these revocations are still handled by revocation lists (although mechanism like OCSP\/OCSP stapling provide more elegant solutions). <\/p>\n\n\n\n<p>If those lists become long, it may require a long time to download the referred to list, which becomes a problem for the user experience, because the requested web page cannot be displayed before the certificate validity is checked.<\/p>\n\n\n\n<p>This can especially become a problem, when mass revocations become necessary. Such mass revocations occurred in the past, e.g. when a frequently used library <a href=\"https:\/\/heartbleed.com\/\">potentially exposed the private key<\/a> or when a commonly used random number generator <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2008\/05\/random_number_b.html\">did not produce sufficient randomness, which allowed guessing<\/a> private keys.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">References<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/support.apple.com\/en-us\/HT211025\" data-type=\"URL\" data-id=\"https:\/\/support.apple.com\/en-us\/HT211025\">Apple announcement for validity of 398 days<\/a><\/li><li><a href=\"https:\/\/support.apple.com\/en-us\/HT210176\">Apple announcement for 825 days for all certificates<\/a><\/li><li><a href=\"https:\/\/wptavern.com\/apple-to-enforce-1-year-limit-on-ssl-tls-certificate-lifetimes-on-september-1-2020-mozilla-and-google-to-follow-suit\">WP Tavern article about one year validity in Safari and other browsers<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>When creating self-signed certificates I ran into the issue that especially Safari did not accept the certificate with a rather unspecific &#8220;Certificate not standards compliant&#8221; message. It turns out, the maximum allowed validity was reduced over time by the different web browser vendors. Shortest times are apparently used by Apple&#8217;s Safari. Current (mid 2021) limits &hellip; <a href=\"https:\/\/admin-log.net\/index.php\/2021\/08\/27\/maximum-allowed-https-certificate-validity\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Maximum Allowed HTTPS Certificate Validity<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[31],"tags":[29,28,27,32],"class_list":["post-137","post","type-post","status-publish","format-standard","hentry","category-web","tag-certificate","tag-https","tag-safari","tag-valid"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7sn5M-2d","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/admin-log.net\/index.php\/wp-json\/wp\/v2\/posts\/137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/admin-log.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/admin-log.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/admin-log.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/admin-log.net\/index.php\/wp-json\/wp\/v2\/comments?post=137"}],"version-history":[{"count":3,"href":"https:\/\/admin-log.net\/index.php\/wp-json\/wp\/v2\/posts\/137\/revisions"}],"predecessor-version":[{"id":141,"href":"https:\/\/admin-log.net\/index.php\/wp-json\/wp\/v2\/posts\/137\/revisions\/141"}],"wp:attachment":[{"href":"https:\/\/admin-log.net\/index.php\/wp-json\/wp\/v2\/media?parent=137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/admin-log.net\/index.php\/wp-json\/wp\/v2\/categories?post=137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/admin-log.net\/index.php\/wp-json\/wp\/v2\/tags?post=137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}