Help

SSL Certificate validity problem (NET::ERR_CERT_VALIDITY_TOO_LONG)

MehdiYawari
New Contributor III

Posted on β€Ž09-07-2022 09:12 AM

Hallo Everyone
On one of our internal web tool, we receive the error: Your connection is not private.
The same internal web tool works fine on Windows devices. We are told to solve the problem as it is a mac problem(?)
I dont think that it is a mac problem or is it? 
Need some help to figure out what the problem is and how to solved it.
I know about the SSL Certificate to be valid only for 1 year + Renew grace period which is issued on or after Sep 2020(https://support.apple.com/en-us/HT211025).

But the SSL certificate of our internal web tool is issued on December 2019 and it valid for 3 years. Can it be that this certificate is also effected because fo Apple's validity period limitation?

Here is the Behavior on different browser:

Chrome: NET::ERR_CERT_VALIDITY_TOO_LONG

Edge: NET::ERR_CERT_VALIDITY_TOO_LONG

Safari: "x" certificate is not standarts compliant

Firefox: it works without any issue or certificate error

As I checked the certificate in chrome, I was only able to see the SSL Cert. Intermediate and Root Cert are missing.
in Safari, I can see all certs but it show the error above.

Has anyone experienced such issue?
Thanks in Advance.

0 Kudos
4 REPLIES 4

L-plateAdmin
Contributor

Posted on β€Ž09-08-2022 02:47 AM

yes it will be this issue, we needed to get ours renewed internally..

0 Kudos

MehdiYawari
New Contributor III

Posted on β€Ž09-08-2022 03:12 AM

If I untestand you correctly, the SSL Certificate should be renewed which should not have a validity more then 398 days. Otherwise Apple devices will have problem with the site and windows devices just ingored this.  

0 Kudos

AJPinto
Valued Contributor II

β€Ž09-08-2022 08:39 AM - edited β€Ž09-08-2022 09:06 AM

Oh, I really love when I get this one internally at my employer. No the problem is not macOS, its lazy web application owners that are trying to use lifetime SSL certificates instead of renewing annually like they are supposed to. What the app owners are used to is Windows letting you use GPO to silence these invalid SSL certificate messages. MacOS is not as friendly at letting you tell a Mac to just ignore an invalid SSL certificate.

 

I suppose the 1st thing to understand, is this is not an "Apple" limitation. 2nd thing is to understand this is not an "Apple" problem. As soon as you start pushing back with that, your support groups will start to lose the ability to say this is "your" problem. It is an organization problem, and one that comes from not following published certificate standards. Boil down your organizations problem of allowing insecure SSL certificates, and you are left with an application problem which is caused by using an invalid SSL certificate. This is not an Apple thing by any means, Apple is just following a standard. 

 

Apple and MacOS only have direct control over Safari. Chrome and FireFox have their standards defined by Google and Mozilla respectively, not Apple. It just so happens that all 3 companies agree that 397 days is the appropriate SSL validity period. Beyond the web browsers, this SSL standard applies to everything, even the CA's warn you about it. 2-year Certificate Availability Ends on September 1, 2020 (digicert.com)



 

The fix:

 

  • Correct fix: The web app admins need to update their SSL certificates to follow published standards.
    • This is the most hands off fix for all parties also, and aligns with published security standards.
  • Bad idea fix kinda sorta but not really a fix at all:
    • MacOS: You may be able to upload the bad certificates to a configuration profile and deploy them. MDM installed certificates are automatically trusted in macOS, but I do not know if this includes SSL Certificates. IF it works every time a SSL certificate is renewed it will need to be uploaded to JAMF and deployed again.
    • Chrome: I am not seeing a key that would force allow an invalid SSL certificate. You can look in to SSLErrorOverrideAllowedForOrigins but this looks to just allow the user to approve so you can limit what they can approve

Chrome Enterprise Policy List & Management | Documentation

 

The TL;DR and my copy paste blurb back to these web admins:

 

On Sept 1st 2020 Mozilla, Google, and Apple agreed to change the maximum SSL Validity Period from 825 days to 397 days. Any SSL certificate with a Validity Period of greater than 397 days that was issued after Sept 1st 2019 is an invalid or nonsecure SSL Certificate and all major web browsers released after that date will not accept the SSL certificate.

 

If you inspect the SSL certificate it will show you when the certificate expires. If the expiration date is more than 397 days from when the SSL certificate was issued (not the current date) the SSL certificate is not valid. 

 

 

Beginning with Chrome v85 Certificates issued on or after 9/1/20 will require a validity period of 398 days or less

https://chromium.googlesource.com/chromium/src/+/HEAD/net/docs/certificate_lifetimes.md

Beginning with Safari 14 for Certificates issued on or after 9/1/20 will require a validity period of 398 days or less. 

https://support.apple.com/en-us/HT211025

Beginning with Firefox v83 Certificates issued on or after 9/1/20 will require a validity period of 398 days or less

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/

 



 

 

 

 

 

MehdiYawari
New Contributor III

Posted on β€Ž09-12-2022 12:02 AM

Tnx AJpinto
Thanks for your detailed explanation.

As you mentioned, the poblem is indeed that SSL Certficate validity is too long and should NOT be longer then a year. 
As I read this the artikel in my first post. it said clearly that the certificates created ON and AFTER Sep 2020 will be affected that the validity of the certificate should be longer then one year. As our certificate was created in 2019, I didnt know if this certificate was affected or not. The answer is yes.
I wrote the web application owner to reissue a new SSL certificate with 1 year validity to solve this problem.
Lets see what happens
 

0 Kudos