pfSense

CA/Browser forum baseline requirements are calling for shorter validity periods to be phased in over the next few years and the next change is to a maximum of 200 days for server certificates issued between March 15, 2026 and March 15, 2027.

After that it changes to 100 days between 2027 and 2029, then 47 days after that. However, at this time we only need to lower the limit from 398 to 200. That said, since the future limits are published, we could add logic to adjust the value automatically.

This should be taken into account and tested in a few places, most of which properly respect the value of max_server_cert_lifetime in source:etc/inc/certs.inc#L1638 :

• The default GUI certificate lifetime
• The warnings in the GUI when the user is creating a new server certificate
• The "strict security" logic in the renewal page

Additionally the current 398 day value is hardcoded in the OpenVPN wizard and must be changed there as well.