Chrome TLS Certificate Lifetime Requirement

Recent changes to Chrome could affect your agency. Chrome now requires that TLS/SSL certificates issued on or after March 1, 2018, have a maximum lifetime of 825 days. Google is enforcing this change for Chrome as a result of the Certification Authority/Browser (CA/B) Forum’s Ballot 193 to promote increased web security.¹

What Will Be Impacted?

A government user will receive an “untrusted site” error when browsing to an intranet website or application if all of the following are true:

1. The intranet website’s TLS/SSL certificate was issued by a Federal PKI Certification Authority
2. The TLS/SSL certificate was issued on or after March 1, 2018, with a lifetime greater than 825 days
3. Using the Chrome browser

What Other Browsers Enforce This Requirement?

Chrome is the only browser currently enforcing this requirement for TLS/SSL certificates. If other browser vendors decide to enforce this requirement, we will post updates to this announcement. Please also check the FPKI-Guides’ Issues for in-progress discussions.

What Should I Do?

To prevent Chrome browsing errors:

1. Request that your PKI team or Federal Shared Service Provider update the certificate profiles for TLS/SSL device certificates issued by Federal PKI Certification Authorities to require a certificate lifetime of less than 825 days.
2. Re-issue and re-install new TLS/SSL certificates for the impacted intranet websites and applications.

Additional Resources

1. In March 2017, the CA/B Forum passed Ballot 193, which introduced the 825-day maximum lifetime requirement.