Forum Discussion

stesch79's avatar
stesch79
Iron Contributor
Jun 30, 2020

Google Chrome limits the validity of SSL Certificates to one year

Dear Edge developers

 

Google has recently announced to limit the validity of certificate to one year (398 days) starting in September 2020 (see https://www.certisur.com/en/google-chrome-limits-the-validity-of-ssl-certificates-to-one-year/)

 

Is this already planned to be addressed in Edge Chromium?

If yes, will there be a policy to exclude certain domains from this validation?

 

Background: In our company we use 2 year certificates (released by our internal PKI) and we want to understand the impact once the new validity check is available in Edge Chromium as well.

 

Regards,

Stephan

 

    • ReadyToDiscuss's avatar
      ReadyToDiscuss
      Icon for Microsoft rankMicrosoft

      Eric_Lawrence  

       

      Can you please confirm on what happens to 

      1. Mobile Applications using SSL Pinning feature.
      2. Installed Mobile Applications using channel encryption (using TLS based communication )
      3. Clients like Cisco AnyConnect using Internal CA issued User Certificate but the Target VPN Services would be Public Certificates.
      • Eric_Lawrence's avatar
        Eric_Lawrence
        Icon for Microsoft rankMicrosoft
        I don’t think any of these topics are related to the TLS cert validity change.

        1. Mobile Applications using SSL Pinning feature.

        This isn’t a question for Microsoft but for Apple/Google. Both iOS and Android platforms will probably impose the lifetime limit for certificates across the whole OS. Pinning can be implemented in different ways, but that’s not really related to the certificate lifetime.

        2. Installed Mobile Applications using channel encryption (using TLS based communication )

        This is fundamentally the same question as #1.

        3. Clients like Cisco AnyConnect using Internal CA issued User Certificate but the Target VPN Services would be Public Certificates.

        It’s not really clear what is meant here; a User Certificate sounds like you’re talking about a Client Certificate; this change applies to TLS server certificates.
    • stesch79's avatar
      stesch79
      Iron Contributor

      Eric_LawrenceThanks for the link! That's reassuring!

       

      But what about the validity check itself? I assume Edge Chromium will also implement that check sooner or later?

      • Eric_Lawrence's avatar
        Eric_Lawrence
        Icon for Microsoft rankMicrosoft
        Yes, for certificates that chain to public CAs, we will have the same check as Chrome, shipping in the same Stable version.

Resources