[samgranieri]

Hmm. I wonder how this will work with certificates generated by enterprise or private certificate authorities. Specifically, I use caddy for local web development and it generates a snake oil ca for anything on *.localhost using code from step-ca.

I also use step-ca and bind to run a homelab top level domain and generate certs using rfc2136. I have to install that root ca cert everywhere, but it’s worth it

[Habgdnv]

As of now, such stricter certificate requirements only apply to publicly trusted CAs that ship with the browser. Custom-added CAs are not subject to these requirements—this applies to all major browsers.

I haven't tested Firefox's implementation yet, but I expect your private CA to continue working as expected since it is manually added.

Private CAs can:

* Issue longer certificates, even 500 years if you want. Public CAs are limited to 1 year I think, or 2? I think it was 1..

* Can use weaker algorithms or older standards if they want.

* Not subject to browser revocation policies - no need for OCSP/CRL etc.

* More things that I do not know?

[Uvix]

Public CAs are currently limited to 398 days (effectively 13 months).

[tialaramex]

For anybody wondering: The weird amount of time is because with a commercial CA it needs to be possible to "carry" some validity during renewal. If I need a $10 Doodad and they're valid for exactly one calendar year, if I renew the Doodad on Monday instead of the following Sunday because I know I'll forget at the weekend, I am losing almost 20¢ of value. People get disproportionately passionate about stuff like this. So, the CAs credited your remaining time on the previous certificate - if you renewed with them, if you had six weeks to go but renewed a 3 year cert early you'd get issued a 3 years + 6 weeks cert.

As the maximum expiry shrank (to improve agility and encourage automation) the slack for granting such extra periods shrank too, withh "3 years" it was actually 39 months, maybe a bit more depending on how you squint, now it's exactly 398 days because Apple said so.