Posted on 09-07-2022 09:12 AM
Hallo Everyone
On one of our internal web tool, we receive the error: Your connection is not private.
The same internal web tool works fine on Windows devices. We are told to solve the problem as it is a mac problem(?)
I dont think that it is a mac problem or is it?
Need some help to figure out what the problem is and how to solved it.
I know about the SSL Certificate to be valid only for 1 year + Renew grace period which is issued on or after Sep 2020(https://support.apple.com/en-us/HT211025).
But the SSL certificate of our internal web tool is issued on December 2019 and it valid for 3 years. Can it be that this certificate is also effected because fo Apple's validity period limitation?
Here is the Behavior on different browser:
Chrome: NET::ERR_CERT_VALIDITY_TOO_LONG
Edge: NET::ERR_CERT_VALIDITY_TOO_LONG
Safari: "x" certificate is not standarts compliant
Firefox: it works without any issue or certificate error
As I checked the certificate in chrome, I was only able to see the SSL Cert. Intermediate and Root Cert are missing.
in Safari, I can see all certs but it show the error above.
Has anyone experienced such issue?
Thanks in Advance.
Posted on 09-08-2022 02:47 AM
yes it will be this issue, we needed to get ours renewed internally..
Posted on 09-08-2022 03:12 AM
If I untestand you correctly, the SSL Certificate should be renewed which should not have a validity more then 398 days. Otherwise Apple devices will have problem with the site and windows devices just ingored this.
09-08-2022 08:39 AM - edited 09-08-2022 09:06 AM
Oh, I really love when I get this one internally at my employer. No the problem is not macOS, its lazy web application owners that are trying to use lifetime SSL certificates instead of renewing annually like they are supposed to. What the app owners are used to is Windows letting you use GPO to silence these invalid SSL certificate messages. MacOS is not as friendly at letting you tell a Mac to just ignore an invalid SSL certificate.
I suppose the 1st thing to understand, is this is not an "Apple" limitation. 2nd thing is to understand this is not an "Apple" problem. As soon as you start pushing back with that, your support groups will start to lose the ability to say this is "your" problem. It is an organization problem, and one that comes from not following published certificate standards. Boil down your organizations problem of allowing insecure SSL certificates, and you are left with an application problem which is caused by using an invalid SSL certificate. This is not an Apple thing by any means, Apple is just following a standard.
Apple and MacOS only have direct control over Safari. Chrome and FireFox have their standards defined by Google and Mozilla respectively, not Apple. It just so happens that all 3 companies agree that 397 days is the appropriate SSL validity period. Beyond the web browsers, this SSL standard applies to everything, even the CA's warn you about it. 2-year Certificate Availability Ends on September 1, 2020 (digicert.com).
The fix:
Chrome Enterprise Policy List & Management | Documentation
The TL;DR and my copy paste blurb back to these web admins:
On Sept 1st 2020 Mozilla, Google, and Apple agreed to change the maximum SSL Validity Period from 825 days to 397 days. Any SSL certificate with a Validity Period of greater than 397 days that was issued after Sept 1st 2019 is an invalid or nonsecure SSL Certificate and all major web browsers released after that date will not accept the SSL certificate.
If you inspect the SSL certificate it will show you when the certificate expires. If the expiration date is more than 397 days from when the SSL certificate was issued (not the current date) the SSL certificate is not valid.
Beginning with Chrome v85 Certificates issued on or after 9/1/20 will require a validity period of 398 days or less
https://chromium.googlesource.com/chromium/src/+/HEAD/net/docs/certificate_lifetimes.md
Beginning with Safari 14 for Certificates issued on or after 9/1/20 will require a validity period of 398 days or less.
https://support.apple.com/en-us/HT211025
Beginning with Firefox v83 Certificates issued on or after 9/1/20 will require a validity period of 398 days or less
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Posted on 09-12-2022 12:02 AM
Tnx AJpinto
Thanks for your detailed explanation.
As you mentioned, the poblem is indeed that SSL Certficate validity is too long and should NOT be longer then a year.
As I read this the artikel in my first post. it said clearly that the certificates created ON and AFTER Sep 2020 will be affected that the validity of the certificate should be longer then one year. As our certificate was created in 2019, I didnt know if this certificate was affected or not. The answer is yes.
I wrote the web application owner to reissue a new SSL certificate with 1 year validity to solve this problem.
Lets see what happens