Internal Certificates not trusted by iOS after Sept 1st, 2020 with validity period greater than 398 days..

[ Cross-thread related post: https://discussions.apple.com/thread/252058837 ]

I have experimentally verified that the limit documented here:

https://support.apple.com/en-us/HT210176

of 825 days is now quietly being enforced for internal Root CAs. This may be as recent as OS 10.15.7 (Nov. 2020)

I used two certificates: respectively with validity length 824 days (no error) and 826 (error: NET::ERR_TLS_CERT_VALIDITY_TOO_LONG).

I don't think it matters whether the CA was deployed via MDM or Active Directory, but for the sake of accuracy my method was to manually install my internal CA in my System Keychain and mark it as fully trusted.

Curiously, Chrome on Windows is fine with 5-year certificates, as is Firefox on MacOS even when it's told to use the same root trust system keychain that Safari and Chrome use.

I think it's best to just conform and keep all internal leaf certificates at 2 years.

Zokiol wrote:

Is there any confirmation Apple can give that this would also affect the trust of certs not issued by public Root CAs but our own internal Root CA?

This is a user-to-user support forum. No Apple employees are here. Even if they were here, there is no way an Apple employee would ever give someone confirmation on anything. Have you observed a certain behaviour? You can confirm for yourself that it does, in fact, work that way. Adjust your system settings to compensate for how you observe that things now work.