Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
10
Helpful
3
Replies

ISE Admin Certificate - Browsers still happy with certs > 398 days

Go to solution
Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

‎07-13-2022 05:57 PM

Hello,

ISE 3.1 displays a great warning when trying to import an Admin certificate with a lifetime of greater than 398 days. It's well known that Apple started this trend, and I have not tested whether Safari enforces this yet. But I can confirm that I was able to install a 5 year certificate, and neither Firefox, Chrome nor Edge had any complaints about it.  I have to add, that the cert was created by internal PKI, and not from a public CA (I assume public CAs no longer issue certs >12 months)

Has anyone had a bad experience with a cert that is valid for such a long lifetime?

 

Below is the message in ISE 3.1 when trying to import such a certificate.

398days.PNG

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

‎07-13-2022 06:01 PM - edited ‎07-13-2022 06:02 PM

Was the cert you installed a private PKI certificate? The change was specific to publicly trusted certificates and not internal PKI. 

https://www.ssl.com/blogs/398-day-browser-limit-for-ssl-tls-certificates-begins-september-1-2020/

"My company has a privately trusted root CA. Are privately trusted SSL/TLS certificates subject to the new 398-day limit?

No. Apple’s change only extends to publicly trusted root CA certificates pre-installed on its devices, including SSL.com’s roots. Root certificates installed by a user or administrator are not affected by the 398-day restriction."

View solution in original post

3 Replies 3

Go to solution
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor

‎07-13-2022 06:01 PM - edited ‎07-13-2022 06:02 PM

Was the cert you installed a private PKI certificate? The change was specific to publicly trusted certificates and not internal PKI. 

https://www.ssl.com/blogs/398-day-browser-limit-for-ssl-tls-certificates-begins-september-1-2020/

"My company has a privately trusted root CA. Are privately trusted SSL/TLS certificates subject to the new 398-day limit?

No. Apple’s change only extends to publicly trusted root CA certificates pre-installed on its devices, including SSL.com’s roots. Root certificates installed by a user or administrator are not affected by the 398-day restriction."

Go to solution
Arne Bier
VIP Advisor VIP Advisor
VIP Advisor
In response to Damien Miller

‎07-13-2022 07:32 PM

Wow that's a revelation! I had no idea that it was that subtle. In that case it makes sense to make the cert a bit longer lived to avoid that annual hassle of cert renewals (and application restarts).

0 Helpful

Go to solution
ahollifield
Rising star
Rising star

‎07-14-2022 04:43 AM

Never had any issues with internal certifcates as @Damien Miller mentioned.  For public certificates on guest portal though, I have had guest endpoints not trust the certificate once the 398th day has passed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents