Limit CA and Cert lifetime to 825 days #5
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves ERR_CERT_REVOKED errors in Chrome on macOS 10.15 Catalina.
As decided by the CA/B Forum [1], newly created TLS certificates shall
have a maximum lifetime of 825 days (~27 months).
Apple implemented this in their latest software as a requirement for all
certificates issued after July 1, 2019 [2], presumably causing the
ERR_CERT_REVOKED error in Chrome [3].
Since this fork of devcert follows the idea of forgetting all private
keys after issuing the required certificate(s), there's no point in
giving the CA a longer lifetime than the certificate.
[1] https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/
[2] https://support.apple.com/en-us/HT210176
[3] https://support.google.com/chrome/thread/14551925?hl=en
Resolves #4