On ke, 24 helmi 2021, Alan Latteri via FreeIPA-users wrote:
Now that Mozilla and other browsers will not Trust a certificate with
a
validity length longer than a year, FreeIPA should change the default
length to match. Currently IPA issues 2 year certificates, which make
all the browsers view them as Un-Trusted.
Do you have proof that this is really happening for the cases where a
browser trusts IPA CA manually? IPA CAs are not part of the preinstalled
Root CAs bundle anywhere so one have to add them manually.
According to Apple it only affects server certificates issued by
commercial CAs trusted by the browsers as part of their 'Root CA'
bundles,
https://support.apple.com/en-us/HT211025:
----------------
This change will affect only TLS server certificates issued from the
Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS.
Additionally, this change will affect only TLS server certificates
issued on or after September 1, 2020; any certificates issued prior to
that date will not be affected by this change.
----------------
Mozilla root certificate program says the same, it only applies to
certificates issued by those CAs who are part of their root CAs program:
https://www.mozilla.org/en-US/about/governance/policies/security-group/ce...
----------------
CAs whose certificates are included in Mozilla's root program MUST:
...
5. verify that all of the information that is included in SSL
certificates remains current and correct at time intervals of 825 days
or less;
----------------
Chrome/Chromium root CA program explicitly states these requirements
don't apply to custom/enterprise CAs:
https://www.chromium.org/Home/chromium-security/root-ca-policy
----------------
If you’re an enterprise managing trusted CAs for your organization,
including locally installed enterprise CAs, the policies described in
this document do not apply to your CA. No changes are currently planned
for how enterprise administrators manage those CAs within Chrome. CAs
that have been installed by the device owner or administrator into the
operating system trust store are expected to continue to work as they do
today.
...
The sections below describe the Chrome Root Program, and policies and
requirements for CAs to have their certificates included in a default
installation of Chrome, as part of the transition to the Chrome Root
Store.
----------------
The only place that explicitly states 397 days validity period should be
used is CA Browser Forum BR 1.7.3 which added following change on
2020-09-01:
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.3.pdf
------------------------
6.3.2 Certificate operational periods and key pair usage periods
Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT
have a Validity Period greater than 397 days and MUST NOT have a
Validity Period greater than 398 days. Subscriber Certificates issued
after 1 March 2018, but prior to 1 September 2020, MUST NOT have a
Validity Period greater than 825 days. Subscriber Certificates issued
after 1 July 2016 but prior to 1 March 2018 MUST NOT have a Validity
Period greater than 39 months.
For the purpose of calculations, a day is measured as 86,400 seconds.
Any amount of time greater than this, including fractional seconds
and/or leap seconds, shall represent an additional day. For this reason,
Subscriber Certificates SHOULD NOT be issued for the maximum permissible
time by default, in order to account for such adjustments.
------------------------
However, CA Browser Forum BR is not mandatory for those CAs that aren't
included into Root CA programs:
-----------------------
This document describes an integrated set of technologies, protocols,
identity-proofing, lifecycle management, and auditing requirements that
are necessary (but not sufficient) for the issuance and management of
Publicly-Trusted Certificates; Certificates that are trusted by virtue
of the fact that their corresponding Root Certificate is distributed in
widelyavailable application software. The requirements are not mandatory
for Certification Authorities unless and until they become adopted and
enforced by relying-party Application Software Suppliers.
-----------------------
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland