[GH-ISSUE #588] Apple now requires certs must not have a validity period greater than 398 days. #331

New issue

Open

opened 2026-02-25 22:33:07 +03:00 by kerem · 2 comments

kerem commented 2026-02-25 22:33:07 +03:00

Owner

Copy link

Originally created by @GeoTimber on GitHub (Jun 6, 2024).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/588

See https://support.apple.com/en-us/102028

Originally created by @GeoTimber on GitHub (Jun 6, 2024). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/588 See https://support.apple.com/en-us/102028

kerem commented 2026-02-25 22:33:07 +03:00

Author

Owner

Copy link

@FiloSottile commented on GitHub (Jun 6, 2024):

This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS.

Do you have evidence of this affecting mkcert?

<!-- gh-comment-id:2153354302 --> @FiloSottile commented on GitHub (Jun 6, 2024): > This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Do you have evidence of this affecting mkcert?

kerem commented 2026-02-25 22:33:07 +03:00

Author

Owner

Copy link

@GeoTimber commented on GitHub (Jun 7, 2024):

Good morning @FiloSottile

I thought I had evidence and then I wasnt so sure any more, that is why my first post here ended up being so very short, my apologies.

I just tested again on Ubuntu 22.04 (KDE NEON) on the master branch and issued a certificate within 398 days and a certificate leaving the expiry as in the last master commit ( 825 days ). Using nginx.

And tested both in IOS 12.4 and IOS 17.1, with the ROOTCA, ( expiry in 10 years ) properly installed

and both work here, so a none issue at the moment as the Apple requirement does not seem to be enforced at the moment.

Thanks for all the good work, un saludo Joris

<!-- gh-comment-id:2154305033 --> @GeoTimber commented on GitHub (Jun 7, 2024): Good morning @FiloSottile I thought I had evidence and then I wasnt so sure any more, that is why my first post here ended up being so very short, my apologies. I just tested again on Ubuntu 22.04 (KDE NEON) on the master branch and issued a certificate within 398 days and a certificate leaving the expiry as in the last master commit ( 825 days ). Using nginx. And tested both in IOS 12.4 and IOS 17.1, with the ROOTCA, ( expiry in 10 years ) properly installed and both work here, so a none issue at the moment as the Apple requirement does not seem to be enforced at the moment. Thanks for all the good work, un saludo Joris

kerem referenced this issue 2026-02-25 22:33:31 +03:00

[PR #333] [CLOSED] fix: Limit cert lifetime to 397 days to align with Googles new policy. #447

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.9.1

v0.9.0

Labels

Clear labels   

TLS stack issue

  

Windows

  

bug

  

duplicate

  

duplicate

  

enhancement

  

help wanted

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

root store

  

waiting for info

No labels

TLS stack issue

Windows

bug

duplicate

duplicate

enhancement

help wanted

help wanted

pull-request

question

question

root store

waiting for info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mkcert#331

No description provided.