cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
563
Views
10
Helpful
3
Replies

ISE Admin Certificate - Browsers still happy with certs > 398 days

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

Hello,

ISE 3.1 displays a great warning when trying to import an Admin certificate with a lifetime of greater than 398 days. It's well known that Apple started this trend, and I have not tested whether Safari enforces this yet. But I can confirm that I was able to install a 5 year certificate, and neither Firefox, Chrome nor Edge had any complaints about it.  I have to add, that the cert was created by internal PKI, and not from a public CA (I assume public CAs no longer issue certs >12 months)

Has anyone had a bad experience with a cert that is valid for such a long lifetime?

 

Below is the message in ISE 3.1 when trying to import such a certificate.

398days.PNG

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

Was the cert you installed a private PKI certificate? The change was specific to publicly trusted certificates and not internal PKI. 

https://www.ssl.com/blogs/398-day-browser-limit-for-ssl-tls-certificates-begins-september-1-2020/

"My company has a privately trusted root CA. Are privately trusted SSL/TLS certificates subject to the new 398-day limit?

No. Apple’s change only extends to publicly trusted root CA certificates pre-installed on its devices, including SSL.com’s roots. Root certificates installed by a user or administrator are not affected by the 398-day restriction."

View solution in original post

3 Replies 3

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

Was the cert you installed a private PKI certificate? The change was specific to publicly trusted certificates and not internal PKI. 

https://www.ssl.com/blogs/398-day-browser-limit-for-ssl-tls-certificates-begins-september-1-2020/

"My company has a privately trusted root CA. Are privately trusted SSL/TLS certificates subject to the new 398-day limit?

No. Apple’s change only extends to publicly trusted root CA certificates pre-installed on its devices, including SSL.com’s roots. Root certificates installed by a user or administrator are not affected by the 398-day restriction."

Wow that's a revelation! I had no idea that it was that subtle. In that case it makes sense to make the cert a bit longer lived to avoid that annual hassle of cert renewals (and application restarts).

ahollifield
Rising star
Rising star

Never had any issues with internal certifcates as @Damien Miller mentioned.  For public certificates on guest portal though, I have had guest endpoints not trust the certificate once the 398th day has passed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers