Certificate lifetime and grace period

[HughJeffner]

I noticed the certificate "grace period" is hard-coded at 366 days for all 3 implementations: link. This sets the 'valid from' field of the certificates that are generated on the fly.

Additionally, I ran into this issue: source

Beginning with Chrome 85, TLS server certificates issued on or after 2020-09-01 00:00:00 UTC will be required to have a validity period of 398 days or less

We just passed that timestamp just over a week ago

Thus setting CertificateManager.CertificateValidDays to anything more than 30 days causes it to fail on chromium based browsers. This shouldn't be an issue as after 60 minutes (cache default) a new certificate would be generated, thus it wouldn't actually expire after 30 days.

Maybe some more sensible defaults are in order? Or perhaps, a way to configure both the valid days and the grace period that isn't as confusing? Having the hardcoded grace period add to the validity period is counterintuitive.

[HughJeffner]

Does CertificateManager.CertificateValidDays set the period of the auto-generated root CA (rootCert.pfx) as well? That might be a problem.

Ideally, I'd like a long-lived root CA and short-lived 'on-the-fly' certs