Impact of Chrome 85 TLS certificate lifetime changes on Web Isolation

book

Article ID: 198176

calendar_today

Updated On:

Products

Web Isolation Web Isolation Cloud Threat Isolation Gateway

Issue/Introduction

Beginning with Chrome 85, TLS server certificates issued on or after 2020-09-01 00:00:00 UTC will be required to have a validity period of 398 days or less.

The Chrome official announcement is available here

 

Resolution

What does it mean for Web Isolation?

  1. This is not an issue for version 1.14
  2. For versions 1.13 / 1.12 / 1.11:
    • This is an issue if a new gateway is added to the environment on or after 2020-09-01
    • We've created a patch allowing customers to overcome this. The patch changes the default certificate signing lifetime to be 1 year.

 

Patch instructions

  1. Download the patch to the management machine:
    wget https://fgl-fileserver.s3-eu-west-1.amazonaws.com/cert_398.sh
  2. Change file permissions:
    chmod +x ./cert_398.sh
  3. Run the patch as root:
    sudo ./cert_398.sh