On ke, 24 helmi 2021, Alan Latteri via FreeIPA-users wrote:
Now that Mozilla and other browsers will not Trust a certificate with a validity length longer than a year, FreeIPA should change the default length to match. Currently IPA issues 2 year certificates, which make all the browsers view them as Un-Trusted.
Do you have proof that this is really happening for the cases where a browser trusts IPA CA manually? IPA CAs are not part of the preinstalled Root CAs bundle anywhere so one have to add them manually. According to Apple it only affects server certificates issued by commercial CAs trusted by the browsers as part of their 'Root CA' bundles, https://support.apple.com/en-us/HT211025: ---------------- This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Additionally, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change. ---------------- Mozilla root certificate program says the same, it only applies to certificates issued by those CAs who are part of their root CAs program: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations ---------------- CAs whose certificates are included in Mozilla's root program MUST: ... 5. verify that all of the information that is included in SSL certificates remains current and correct at time intervals of 825 days or less; ---------------- Chrome/Chromium root CA program explicitly states these requirements don't apply to custom/enterprise CAs: https://www.chromium.org/Home/chromium-security/root-ca-policy ---------------- If you’re an enterprise managing trusted CAs for your organization, including locally installed enterprise CAs, the policies described in this document do not apply to your CA. No changes are currently planned for how enterprise administrators manage those CAs within Chrome. CAs that have been installed by the device owner or administrator into the operating system trust store are expected to continue to work as they do today. ... The sections below describe the Chrome Root Program, and policies and requirements for CAs to have their certificates included in a default installation of Chrome, as part of the transition to the Chrome Root Store. ---------------- The only place that explicitly states 397 days validity period should be used is CA Browser Forum BR 1.7.3 which added following change on 2020-09-01: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.3.pdf ------------------------ 6.3.2 Certificate operational periods and key pair usage periods Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days. Subscriber Certificates issued after 1 March 2018, but prior to 1 September 2020, MUST NOT have a Validity Period greater than 825 days. Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST NOT have a Validity Period greater than 39 months. For the purpose of calculations, a day is measured as 86,400 seconds. Any amount of time greater than this, including fractional seconds and/or leap seconds, shall represent an additional day. For this reason, Subscriber Certificates SHOULD NOT be issued for the maximum permissible time by default, in order to account for such adjustments. ------------------------ However, CA Browser Forum BR is not mandatory for those CAs that aren't included into Root CA programs: ----------------------- This document describes an integrated set of technologies, protocols, identity-proofing, lifecycle management, and auditing requirements that are necessary (but not sufficient) for the issuance and management of Publicly-Trusted Certificates; Certificates that are trusted by virtue of the fact that their corresponding Root Certificate is distributed in widelyavailable application software. The requirements are not mandatory for Certification Authorities unless and until they become adopted and enforced by relying-party Application Software Suppliers. ----------------------- -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
