TLS Certificate Lifetime RequirementPublish Date: May 10, 2018
Recent changes to Chrome could affect your agency. Chrome now requires that TLS/SSL certificates issued on or after March 1, 2018, have a maximum lifetime of 825 days. Google is enforcing this change for Chrome as a result of the Certification Authority/Browser (CA/B) Forum’s Ballot 193 to promote increased web security.1
- What Will Be Impacted?
- What Other Browsers Enforce This Requirement?
- What Should I Do?
- Additional Resources
What Will Be Impacted?
A government user will receive an “untrusted site” error when browsing to an intranet website or application if all of the following are true:
- The intranet website’s TLS/SSL certificate was issued by a Federal PKI Certification Authority
- The TLS/SSL certificate was issued on or after March 1, 2018, with a lifetime greater than 825 days
- Using the Chrome browser
What Other Browsers Enforce This Requirement?
Chrome is the only browser currently enforcing this requirement for TLS/SSL certificates. If other browser vendors decide to enforce this requirement, we will post updates to this announcement. Please also check the FPKI-Guides’ Issues for in-progress discussions.
What Should I Do?
To prevent Chrome browsing errors:
- Request that your PKI team or Federal Shared Service Provider update the certificate profiles for TLS/SSL device certificates issued by Federal PKI Certification Authorities to require a certificate lifetime of less than 825 days.
- Re-issue and re-install new TLS/SSL certificates for the impacted intranet websites and applications.