cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Google Chrome limits the validity of SSL Certificates to one year

%3CLINGO-SUB%20id%3D%22lingo-sub-1498521%22%20slang%3D%22en-US%22%3EGoogle%20Chrome%20limits%20the%20validity%20of%20SSL%20Certificates%20to%20one%20year%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1498521%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20Edge%20developers%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGoogle%20has%20recently%20announced%20to%20limit%20the%20validity%20of%20certificate%20to%20one%20year%20(398%20days)%20starting%20in%20September%202020%20(see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.certisur.com%2Fen%2Fgoogle-chrome-limits-the-validity-of-ssl-certificates-to-one-year%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.certisur.com%2Fen%2Fgoogle-chrome-limits-the-validity-of-ssl-certificates-to-one-year%2F%3C%2FA%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20already%20planned%20to%20be%20addressed%20in%20Edge%20Chromium%3F%3C%2FP%3E%3CP%3EIf%20yes%2C%20will%20there%20be%20a%20policy%20to%20exclude%20certain%20domains%20from%20this%20validation%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBackground%3A%20In%20our%20company%20we%20use%202%20year%20certificates%20(released%20by%20our%20internal%20PKI)%20and%20we%20want%20to%20understand%20the%20impact%20once%20the%20new%20validity%20check%20is%20available%20in%20Edge%20Chromium%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EStephan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1498521%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ecertificate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ehttps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Evalidity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502996%22%20slang%3D%22en-US%22%3ERe%3A%20Google%20Chrome%20limits%20the%20validity%20of%20SSL%20Certificates%20to%20one%20year%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502996%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355230%22%20target%3D%22_blank%22%3E%40stesch79%3C%2FA%3E%26nbsp%3BThese%20changes%20apply%20to%20certificates%20that%20are%20rooted%20to%20a%20%3CSTRONG%3Epublic%3C%2FSTRONG%3E%20CA%20trust%20anchor.%20Certificates%20that%20are%20rooted%20to%20a%20private%20PKI%20CA%20(%E2%80%9Clocally-trusted%20anchor%E2%80%9D)%20are%20not%20limited%20this%20way.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20also%20%3CA%20href%3D%22https%3A%2F%2Fsource.chromium.org%2Fchromium%2Fchromium%2Fsrc%2F%2B%2Fmaster%3Anet%2Fdocs%2Fcertificate_lifetimes.md%3Fq%3Dcertificate%2520lifetime%26amp%3Bss%3Dchromium%26amp%3BoriginalUrl%3Dhttps%3A%252F%252Fcs.chromium.org%252F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsource.chromium.org%2Fchromium%2Fchromium%2Fsrc%2F%2B%2Fmaster%3Anet%2Fdocs%2Fcertificate_lifetimes.md%3Fq%3Dcertificate%2520lifetime%26amp%3Bss%3Dchromium%26amp%3BoriginalUrl%3Dhttps%3A%252F%252Fcs.chromium.org%252F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1503029%22%20slang%3D%22en-US%22%3ERe%3A%20Google%20Chrome%20limits%20the%20validity%20of%20SSL%20Certificates%20to%20one%20year%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1503029%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F317619%22%20target%3D%22_blank%22%3E%40ericlaw%3C%2FA%3EThanks%20for%20the%20link!%20That's%20reassuring!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20what%20about%20the%20validity%20check%20itself%3F%20I%20assume%20Edge%20Chromium%20will%20also%20implement%20that%20check%20sooner%20or%20later%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1503254%22%20slang%3D%22en-US%22%3ERe%3A%20Google%20Chrome%20limits%20the%20validity%20of%20SSL%20Certificates%20to%20one%20year%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1503254%22%20slang%3D%22en-US%22%3EYes%2C%20for%20certificates%20that%20chain%20to%20public%20CAs%2C%20we%20will%20have%20the%20same%20check%20as%20Chrome%2C%20shipping%20in%20the%20same%20Stable%20version.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1571373%22%20slang%3D%22en-US%22%3ERe%3A%20Google%20Chrome%20limits%20the%20validity%20of%20SSL%20Certificates%20to%20one%20year%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1571373%22%20slang%3D%22en-US%22%3EAnd%20company%20internal%20CA%E2%80%98s%20are%20not%20affected%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1571388%22%20slang%3D%22en-US%22%3ERe%3A%20Google%20Chrome%20limits%20the%20validity%20of%20SSL%20Certificates%20to%20one%20year%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1571388%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F162121%22%20target%3D%22_blank%22%3E%40Thilo%20Langbein%3C%2FA%3E%26nbsp%3B-%26nbsp%3B%3CSPAN%3ECertificates%20that%20are%20rooted%20to%20a%20private%20PKI%20CA%20(%E2%80%9Clocally-trusted%20anchor%E2%80%9D%2C%20which%20is%20trusted%20only%20because%20the%20user%20or%20admin%20added%20it%20to%20the%20client)%20are%20not%20limited%20this%20way.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIt%20is%20%3CSTRONG%3E%3CEM%3Eextremely%3C%2FEM%3E%20%3C%2FSTRONG%3Erare%20for%20a%20company%20to%20have%20an%20internal%20CA%20that%20chains%20back%20to%20a%20publicly%20trusted%20root%20(although%20it%20is%20%3CEM%3Enot%20impossible%3C%2FEM%3E.%20Microsoft%20has%20such%20a%20CA%2C%20as%20does%20at%20least%20one%20of%20the%20major%20CA%20companies).%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1643738%22%20slang%3D%22en-US%22%3ERe%3A%20Google%20Chrome%20limits%20the%20validity%20of%20SSL%20Certificates%20to%20one%20year%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1643738%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F317619%22%20target%3D%22_blank%22%3E%40ericlaw%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you%20please%20confirm%20on%20what%20happens%20to%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EMobile%20Applications%20using%20SSL%20Pinning%20feature.%3C%2FLI%3E%0A%3CLI%3EInstalled%20Mobile%20Applications%20using%20channel%20encryption%20(using%20TLS%20based%20communication%20)%3C%2FLI%3E%0A%3CLI%3EClients%20like%20Cisco%20AnyConnect%20using%20Internal%20CA%20issued%20User%20Certificate%20but%20the%20Target%20VPN%20Services%20would%20be%20Public%20Certificates.%3C%2FLI%3E%0A%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1644230%22%20slang%3D%22en-US%22%3ERe%3A%20Google%20Chrome%20limits%20the%20validity%20of%20SSL%20Certificates%20to%20one%20year%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1644230%22%20slang%3D%22en-US%22%3EI%20don%E2%80%99t%20think%20any%20of%20these%20topics%20are%20related%20to%20the%20TLS%20cert%20validity%20change.%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20Mobile%20Applications%20using%20SSL%20Pinning%20feature.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20isn%E2%80%99t%20a%20question%20for%20Microsoft%20but%20for%20Apple%2FGoogle.%20Both%20iOS%20and%20Android%20platforms%20will%20probably%20impose%20the%20lifetime%20limit%20for%20certificates%20across%20the%20whole%20OS.%20Pinning%20can%20be%20implemented%20in%20different%20ways%2C%20but%20that%E2%80%99s%20not%20really%20related%20to%20the%20certificate%20lifetime.%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20Installed%20Mobile%20Applications%20using%20channel%20encryption%20(using%20TLS%20based%20communication%20)%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20fundamentally%20the%20same%20question%20as%20%231.%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20Clients%20like%20Cisco%20AnyConnect%20using%20Internal%20CA%20issued%20User%20Certificate%20but%20the%20Target%20VPN%20Services%20would%20be%20Public%20Certificates.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%E2%80%99s%20not%20really%20clear%20what%20is%20meant%20here%3B%20a%20User%20Certificate%20sounds%20like%20you%E2%80%99re%20talking%20about%20a%20Client%20Certificate%3B%20this%20change%20applies%20to%20TLS%20server%20certificates.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1684357%22%20slang%3D%22en-US%22%3ERe%3A%20Google%20Chrome%20limits%20the%20validity%20of%20SSL%20Certificates%20to%20one%20year%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1684357%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F317619%22%20target%3D%22_blank%22%3E%40ericlaw%3C%2FA%3E%26nbsp%3BI%20have%20a%20similar%20question%20.%20We%20also%20use%20%3CSPAN%3ECisco%20AnyConnect%20using%20Internal%20CA%26nbsp%3B%20and%20issued%20User%26nbsp%3Bcertificate%20%26nbsp%3BEKU%20client%20authentication%20(User%20Template)%26nbsp%3Band%26nbsp%3B%20our%20VPN%20appliances%20uses%20internal%20CA%26nbsp%3B%26nbsp%3Bas%20well%20EKU%20server%20authentication%20certificate%20(WebServer%20template)%20.%20Can%20you%20please%20confirm%20what%20happens%20with%20the%20validity%20%26nbsp%3Bcheck%20in%20this%20case%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1684743%22%20slang%3D%22en-US%22%3ERe%3A%20Google%20Chrome%20limits%20the%20validity%20of%20SSL%20Certificates%20to%20one%20year%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1684743%22%20slang%3D%22en-US%22%3EInternal%20CAs%20not%20chained%20to%20a%20public%20root%20do%20not%20change.%3CBR%20%2F%3EClient%20authentication%20certificates%20do%20not%20change.%3C%2FLINGO-BODY%3E
stesch79
Frequent Contributor

‎06-30-2020 06:21 AM

‎06-30-2020 06:21 AM

Google Chrome limits the validity of SSL Certificates to one year

Dear Edge developers

 

Google has recently announced to limit the validity of certificate to one year (398 days) starting in September 2020 (see https://www.certisur.com/en/google-chrome-limits-the-validity-of-ssl-certificates-to-one-year/)

 

Is this already planned to be addressed in Edge Chromium?

If yes, will there be a policy to exclude certain domains from this validation?

 

Background: In our company we use 2 year certificates (released by our internal PKI) and we want to understand the impact once the new validity check is available in Edge Chromium as well.

 

Regards,

Stephan

 

Labels:
6,661 Views
1 Like
9 Replies
Reply
9 Replies
Best Response
ericlaw

‎07-02-2020 09:16 AM

‎07-02-2020 09:16 AM

Solution

Re: Google Chrome limits the validity of SSL Certificates to one year

@stesch79 These changes apply to certificates that are rooted to a public CA trust anchor. Certificates that are rooted to a private PKI CA (“locally-trusted anchor”) are not limited this way.

 

See also https://source.chromium.org/chromium/chromium/src/+/master:net/docs/certificate_lifetimes.md?q=certi...

0 Likes
Reply
stesch79

‎07-02-2020 09:45 AM

‎07-02-2020 09:45 AM

Re: Google Chrome limits the validity of SSL Certificates to one year

@ericlawThanks for the link! That's reassuring!

 

But what about the validity check itself? I assume Edge Chromium will also implement that check sooner or later?

0 Likes
Reply
ericlaw

‎07-02-2020 11:57 AM

‎07-02-2020 11:57 AM

Re: Google Chrome limits the validity of SSL Certificates to one year

Yes, for certificates that chain to public CAs, we will have the same check as Chrome, shipping in the same Stable version.
0 Likes
Reply
Thilo Langbein

‎08-06-2020 12:17 PM

‎08-06-2020 12:17 PM

Re: Google Chrome limits the validity of SSL Certificates to one year

And company internal CA‘s are not affected?
0 Likes
Reply
ericlaw

‎08-06-2020 12:31 PM

‎08-06-2020 12:31 PM

Re: Google Chrome limits the validity of SSL Certificates to one year

@Thilo Langbein - Certificates that are rooted to a private PKI CA (“locally-trusted anchor”, which is trusted only because the user or admin added it to the client) are not limited this way.

 

It is extremely rare for a company to have an internal CA that chains back to a publicly trusted root (although it is not impossible. Microsoft has such a CA, as does at least one of the major CA companies).

0 Likes
Reply
MillionDollar

‎09-08-2020 03:00 AM

‎09-08-2020 03:00 AM

Re: Google Chrome limits the validity of SSL Certificates to one year

@ericlaw  

 

Can you please confirm on what happens to 

  1. Mobile Applications using SSL Pinning feature.
  2. Installed Mobile Applications using channel encryption (using TLS based communication )
  3. Clients like Cisco AnyConnect using Internal CA issued User Certificate but the Target VPN Services would be Public Certificates.
0 Likes
Reply
ericlaw

‎09-08-2020 06:11 AM

‎09-08-2020 06:11 AM

Re: Google Chrome limits the validity of SSL Certificates to one year

I don’t think any of these topics are related to the TLS cert validity change.

1. Mobile Applications using SSL Pinning feature.

This isn’t a question for Microsoft but for Apple/Google. Both iOS and Android platforms will probably impose the lifetime limit for certificates across the whole OS. Pinning can be implemented in different ways, but that’s not really related to the certificate lifetime.

2. Installed Mobile Applications using channel encryption (using TLS based communication )

This is fundamentally the same question as #1.

3. Clients like Cisco AnyConnect using Internal CA issued User Certificate but the Target VPN Services would be Public Certificates.

It’s not really clear what is meant here; a User Certificate sounds like you’re talking about a Client Certificate; this change applies to TLS server certificates.
1 Like
Reply
DarrenRD

‎09-18-2020 08:23 AM

‎09-18-2020 08:23 AM

Re: Google Chrome limits the validity of SSL Certificates to one year

@ericlaw I have a similar question . We also use Cisco AnyConnect using Internal CA  and issued User certificate  EKU client authentication (User Template) and  our VPN appliances uses internal CA  as well EKU server authentication certificate (WebServer template) . Can you please confirm what happens with the validity  check in this case?

 

Thanks

0 Likes
Reply
ericlaw

‎09-18-2020 09:31 AM

‎09-18-2020 09:31 AM

Re: Google Chrome limits the validity of SSL Certificates to one year

Internal CAs not chained to a public root do not change.
Client authentication certificates do not change.
0 Likes
Reply