Maximum SSL certificate duration

Using openSSL, it looks like the maximum -days I can use is 11499 based on the conversation here. However, if I want to sign it by a certification authority, how long will be the maximum certification duration?


Solution 1:

As of September 1, 2020, 12 months. This was a change agreed upon by the major certificate authorities and aligns with the wishes of the browser manufacturers (Apple, Mozilla, Chrome, etc.) You can still issue self-signed certificates via OpenSSL with whatever duration you wish, but you may run into trouble with browsers accepting them.

I believe the intent behind this policy change was to force people to pay more attention to their certificates. For example (just making up durations here), if I just purchased a 3 year certificate yesterday and installed it, and a security change (such as a weak encryption algorithm) is discovered today, I would not technically HAVE to replace the certificate until 3 years from now. With the new shorter durations, I will have to replace it within 1 year.