Project

General

Profile

Actions

Bug #11463

closed

Requirements for trusted certificates

Added by DRago_Angel [InV@DER] almost 4 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
-
Start date:
02/19/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

1. Based on https://redmine.pfsense.org/issues/9825 must set validity time to 825 days for new SSL certs, but on 2.4.5_p3 and on 2.5 (including pfsense+ 21.02) it still 3650.
2. From 1 September 2020, SSL/TLS certificates cannot be issued for longer than 13 months (397 days) or Microsoft, Apple, Mozilla and Google will not trust them. Proof: https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year

Actions #1

Updated by DRago_Angel [InV@DER] almost 4 years ago

Oh, text says correctly: Server certificates should not have a lifetime over 398 days or some platforms may consider the certificate invalid, but default value still 3650.

Actions #2

Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Rejected

From the notes and commits on #9825 you can already see we lowered things to 398 days later in the issue, it did not stay at 825.

The default is fine since the default is user certificates, not server certificates. The text on the field turns yellow to warn the user that it's insecure once the page is switched to "server certificate", we don't need to override the user input in the field when that changes since the user may have some other use case which isn't bound by those limits.

Actions #3

Updated by DRago_Angel [InV@DER] almost 4 years ago

The issue that most people will not see even that it changes color to yellow as change cert type much lower then validity period. Still I think put 398 days by default will be better, and people will simply extend it by 0 if needed

Actions

Also available in: Atom PDF