Bug #11463
closed
Requirements for trusted certificates
0%
Description
1. Based on https://redmine.pfsense.org/issues/9825 must set validity time to 825 days for new SSL certs, but on 2.4.5_p3 and on 2.5 (including pfsense+ 21.02) it still 3650.
2. From 1 September 2020, SSL/TLS certificates cannot be issued for longer than 13 months (397 days) or Microsoft, Apple, Mozilla and Google will not trust them. Proof: https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year
Updated by DRago_Angel [InV@DER] about 3 years ago
Oh, text says correctly: Server certificates should not have a lifetime over 398 days or some platforms may consider the certificate invalid, but default value still 3650.
Updated by Jim Pingle about 3 years ago
- Status changed from New to Rejected
From the notes and commits on #9825 you can already see we lowered things to 398 days later in the issue, it did not stay at 825.
The default is fine since the default is user certificates, not server certificates. The text on the field turns yellow to warn the user that it's insecure once the page is switched to "server certificate", we don't need to override the user input in the field when that changes since the user may have some other use case which isn't bound by those limits.
Updated by DRago_Angel [InV@DER] about 3 years ago
The issue that most people will not see even that it changes color to yellow as change cert type much lower then validity period. Still I think put 398 days by default will be better, and people will simply extend it by 0 if needed