Is ProxySG affected by 1 year server certificate expiration requirements of browsers?

book

Article ID: 198371

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Mozilla, Google, Apple, and Microsoft have all collaborated in regards to new browser requirements regarding accepting server certificate validity dates. Thus, effective Sept. 1, 2020, Mozilla, Google, Apple, and Microsoft  browsers will no longer trust any newly issued certificates with a valid lifespan of longer than 398 days. Certificates issued prior to Sept. 1, 2020 will still be accepted with an expiration date of more than 398 days.

Resolution

For forward SSL proxy (not affected):
Since this change only applies to server certificates, forward SSL proxy is not affected because in this case the ProxySG acts as a root or intermediate CA, not the server. Furthermore, when the ProxySG intercepts SSL, it emulates the server certificate with the same validity dates as the certificate from the Origin Content Server (OCS) certificate. So as long as the website being accessed is in compliance, there will be no problem when SSL interception is taking place on the ProxySG. If a site is not in compliance, the problem will exist with or without the ProxySG. The ProxySG has no control over this as the OCS would then be the point of failure.

For reverse HTTPS proxy (potentially affected):
In the case of HTTPS reverse proxy, the ProxySG does present a server certificate. This can be affected. So customers should update their HTTPS-Reverse-Proxy service certificates, before they are expired, with a certificate of 1 year (or 398 days) expiration. Since reverse proxy implementations generally receive inbound traffic from the internet, the certificate used are signed by a public CA. This means, the public CA can set the appropriate validity date requirements when renewing the certificate. This new browser requirement only applies to public CA certificates. So for customers who have internal reverse proxies using a Private Key Infrastructure (PKI) signed certificate, those will be unaffected by the change.