Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

why maximum_certificate_lifespan 366 days ? #669

Open
dgisec opened this issue Oct 25, 2024 · 1 comment
Open

why maximum_certificate_lifespan 366 days ? #669

dgisec opened this issue Oct 25, 2024 · 1 comment

Comments

@dgisec
Copy link

dgisec commented Oct 25, 2024

I would to know why do you require a maximum_certificate_lifespan 366 days ?

The max seems 397 days;
https://www.tenable.com/plugins/was/112563
https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/
https://thehackernews.com/2020/09/ssl-tls-certificate-validity-398.html

I understand the shortest is the best and google tries to reduce to 90 days:
On March 3, 2023, Google's Chromium Projects announced that the organization plans to reduce the maximum validity period for public Transport Layer Security (TLS) certificates from 398 days to 90 days.

But 366 should be compliant with the current recommendation

@janbrasna
Copy link

This is to match https://wiki.mozilla.org/Security/Server_Side_TLS:

"maximum_certificate_lifespan": 366,
"ocsp_staple": true,
"oldest_clients": ["Firefox 27", "Android 4.4.2", "Chrome 31", "Edge", "IE 11 on Windows 7", "Java 8u31", "OpenSSL 1.0.1", "Opera 20", "Safari 9"],
"recommended_certificate_lifespan": 90,

(only modern sets both to 90)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants