Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1143
Views
13
Helpful
3
Replies

ISE Admin Certificate - Browsers still happy with certs > 398 days

Go to solution
Arne Bier
VIP
VIP

‎07-13-2022 05:57 PM

Hello,

ISE 3.1 displays a great warning when trying to import an Admin certificate with a lifetime of greater than 398 days. It's well known that Apple started this trend, and I have not tested whether Safari enforces this yet. But I can confirm that I was able to install a 5 year certificate, and neither Firefox, Chrome nor Edge had any complaints about it.  I have to add, that the cert was created by internal PKI, and not from a public CA (I assume public CAs no longer issue certs >12 months)

Has anyone had a bad experience with a cert that is valid for such a long lifetime?

 

Below is the message in ISE 3.1 when trying to import such a certificate.

398days.PNG

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-13-2022 06:01 PM - edited ‎07-13-2022 06:02 PM

Was the cert you installed a private PKI certificate? The change was specific to publicly trusted certificates and not internal PKI. 

https://www.ssl.com/blogs/398-day-browser-limit-for-ssl-tls-certificates-begins-september-1-2020/

"My company has a privately trusted root CA. Are privately trusted SSL/TLS certificates subject to the new 398-day limit?

No. Apple’s change only extends to publicly trusted root CA certificates pre-installed on its devices, including SSL.com’s roots. Root certificates installed by a user or administrator are not affected by the 398-day restriction."

View solution in original post

3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-13-2022 06:01 PM - edited ‎07-13-2022 06:02 PM

Was the cert you installed a private PKI certificate? The change was specific to publicly trusted certificates and not internal PKI. 

https://www.ssl.com/blogs/398-day-browser-limit-for-ssl-tls-certificates-begins-september-1-2020/

"My company has a privately trusted root CA. Are privately trusted SSL/TLS certificates subject to the new 398-day limit?

No. Apple’s change only extends to publicly trusted root CA certificates pre-installed on its devices, including SSL.com’s roots. Root certificates installed by a user or administrator are not affected by the 398-day restriction."

Go to solution
Arne Bier
VIP
VIP
In response to Damien Miller

‎07-13-2022 07:32 PM

Wow that's a revelation! I had no idea that it was that subtle. In that case it makes sense to make the cert a bit longer lived to avoid that annual hassle of cert renewals (and application restarts).

0 Helpful

Go to solution
ahollifield
VIP
VIP

‎07-14-2022 04:43 AM

Never had any issues with internal certifcates as @Damien Miller mentioned.  For public certificates on guest portal though, I have had guest endpoints not trust the certificate once the 398th day has passed.

Customers Also Viewed These Support Documents