Maximum SSL certificate duration

ssl ssl-certificate openssl firefox

Using openSSL, it looks like the maximum -days I can use is 11499 based on the conversation here. However, if I want to sign it by a certification authority, how long will be the maximum certification duration?


Solution 1:

As of September 1, 2020, 12 months. This was a change agreed upon by the major certificate authorities and aligns with the wishes of the browser manufacturers (Apple, Mozilla, Chrome, etc.) You can still issue self-signed certificates via OpenSSL with whatever duration you wish, but you may run into trouble with browsers accepting them.

I believe the intent behind this policy change was to force people to pay more attention to their certificates. For example (just making up durations here), if I just purchased a 3 year certificate yesterday and installed it, and a security change (such as a weak encryption algorithm) is discovered today, I would not technically HAVE to replace the certificate until 3 years from now. With the new shorter durations, I will have to replace it within 1 year.

Related

Trying to receive emails AND store them into an S3 bucket
How do I forward a www subdomain through DDNS and use the domain's certificate? - Ubuntu Nginx Let's Encrypt DDNS
Any ideas how could I've been ransomware hacked?
Is there any specific command to check all running processes inside a specific VM on ESXi?
Looking for a CLI application that allows me to connect to server over SSH quickly
rsyslog is putting log entries into an included file
How much does FreeBSD differ from Linux?
ipmitool and freeipmi don't see the same sensors
POST of large file is timing out, when running through ARR
Getting tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1528:SSL alert number 48 even though verification seems to be ok
Windows batch file to start and stop service for different users
Is an email alias technically the same as a forwarding internally?