Apple recently announced that the Safari browser will only accept certificates with a validity of 398 days in the future, provided they were issued from September 1, 2020.
Mozilla and Google want to implement comparable behavior in their browsers. So the question is whether this change will have an impact on internal certificate authorities - i.e. whether in future internal SSL certificates will also have to follow these rules, as is the case, for example, with the enforcement of the RFC 2818 by Google was the case.
Are internal Certification Authorities affected?
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Apple's official documentation contains the following sentence, which clearly states that internal certification authorities are excluded from the audit:
This change will affect only TLS server certificates issued from the root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS.
About upcoming limits on trusted certificates (APPLE)
There is no written statement from the Chromium project on this, but a look at its source code shows that the exact same logic is used in the CertVerifyProc::HasTooLongValidity function as in the previous reduction to 825 days.
// For certificates issued on-or-after 1 March 2018: 825 days. if (start >= time_2018_03_01 && validity_duration > base::TimeDelta::FromDays(825)) { return true; }
// For certificates issued on-or-after September 1, 2020: 398 days. if (start >= time_2020_09_01 && validity_duration > base::TimeDelta::FromDays(398)) { return true; }
However, tests with Chrome and Edge showed that with internal certificate authorities already the current limit of 825 days does not lead to an error message - in contrast to forcing the RFC 2818, which was introduced in Chromium in 2017.
Unlike Chrome and Edge Apple also restricts certificate validity for web server certificates from internal certificate authorities to a maximum of 825 days if issued after July 01, 2019.
Update
In the meantime, Google published a corresponding articlein which the assumption is confirmed.
This only applies to the set of CAs that are trusted by default by Google Chrome, and not CAs that are operated by an enterprise and that have no certification paths to CAs that are trusted by default.
Why are internal certificates without SAN criticized by Chrome, but internal certificates with a long certificate validity are not?
To do this, let's take a look at the code that verifies the validity of the certificate:
// Flag certificates using too long validity periods. if (verify_result->is_issued_by_known_root && HasTooLongValidity(*cert)) { verify_result->cert_status |= CERT_STATUS_VALIDITY_TOO_LONG; if (rv == OK) rv = MapCertStatusToNetError(verify_result->cert_status); }
Here it is checked whether the certificate comes from a "public" certification authority and whether the certificate validity is within the permitted range.
For comparison, the code which takes care of checking for compliance with RFC 2818:
if (!cert->VerifyNameMatch(hostname)) { verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; rv = MapCertStatusToNetError(verify_result->cert_status); }
Here the test is missing is_issued_by_known_rootwhich restricts the selection to "public" certification authorities. Thus, the check for RFC 2818 generally applies to all certificates, but the certificate validity check only applies to certificates that were not issued by an internal certification authority.
Is Microsoft Edge affected?
Since many companies use the Microsoft Edge browser, it is very interesting for us to know if it is also affected. Since the Microsoft Edge browser is now based on the Chromium project, just like Google Chrome, it (largely) adopts its behavior. Accordingly, it is affected just like Chrome.
Conclusion: Is there a need for action?
For Internet Explorer Safari, Chrome and Microsoft Edge, when using your own internal certificate authority, there is from a purely technical point of view no need for action, as these are excluded during the certificate check. Thus, SSL certificates valid for longer than 398 days can still be used internally, but not longer than 825 days.
However, it is certainly advisable to review the issuance and decommissioning processes for SSL certificates to determine whether such a long certificate validity is feasible while maintaining the desired level of security.
Related links:
- Allowed Relative Distinguished Names (RDNs) in the Subject of Issued Certificates
- Generating a RFC 2818 compliant certificate request for SSL certificates
- Configuring a Secure Socket Layer (SSL) Certificate Template for Web Server
External sources
- Certificate Lifetimes (Chromium Project)
- Enforce 398-day validity for certificates issued on-or-after 2020-09-01 (Chromium Project)
- About upcoming limits on trusted certificates (Apple)
- Requirements for trusted certificates in iOS 13 and macOS 10.15 (Apple)
- Reducing TLS Certificate Lifespans to 398 Days (Mozilla)
- Limit TLS Certificates to 398 day validity after Aug 31, 2020 (Mozilla)
- chromium/net/cert/cert_verify_proc.cc (Chromium Project)
- Changes to SSL/TLS Certificate Validity Periods - September 2020 (PKI Solutions, Inc.)
2 thoughts on “Chrome und Safari limitieren SSL Zertifikate auf ein Jahr Gültigkeit”
Comments are closed.