Skip to content

Commit

Permalink
Merge pull request #652 from GSA/revert-649-1030-annouce-list-update
Browse files Browse the repository at this point in the history 
Revert "1030-annouce-list-update"
  • Loading branch information
@idmken
idmken authored Oct 31, 2023
2 parents 09b15b6 + c577d31 commit bfb4e3d
Show file tree
Hide file tree
Showing 11 changed files with 1,462 additions and 48 deletions.
90 changes: 45 additions & 45 deletions _data/fpkiannouncements.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,56 +30,56 @@
description: The FPKIMA will be decommissioning the LDAP service associated with the old FCPCA root's SIA repository.
status: Active

# - title: New FPKI Tools Available
# pubDate: May 18, 2021
# url: /implement/announcements/test-tools/
# description: Release announcement for the Federal PKI Card Conformance Tool (CCT) and Certificate Profile Conformance Tool (CPCT).
# status: Remove
- title: New FPKI Tools Available
pubDate: May 18, 2021
url: /implement/announcements/test-tools/
description: Release announcement for the Federal PKI Card Conformance Tool (CCT) and Certificate Profile Conformance Tool (CPCT).
status: Active

# - title: Federal Common <br> Policy CA G2 Update
# pubDate: October 12, 2020
# url: /implement/announcements/common-g2-update/
# description: This announcement details the FCPCA update timeline and actions agencies need to perform.
# status: Removed
- title: Federal Common <br> Policy CA G2 Update
pubDate: October 12, 2020
url: /implement/announcements/common-g2-update/
description: This announcement details the FCPCA update timeline and actions agencies need to perform.
status: Active

# - title: Upcoming Migration of Federal PKI Certificate Repository Services
# pubDate: April 1, 2019
# url: /implement/announcements/2019fpkimigration/
# description: On April 22, 2019, the Federal Public Key Infrastructure Management Authority will migrate the hosting of HyperText Transfer Protocol (HTTP) repository services to a cloud-based solution.
# status: Removed
- title: Upcoming Migration of Federal PKI Certificate Repository Services
pubDate: April 1, 2019
url: /implement/announcements/2019fpkimigration/
description: On April 22, 2019, the Federal Public Key Infrastructure Management Authority will migrate the hosting of HyperText Transfer Protocol (HTTP) repository services to a cloud-based solution.
status: Removed

# - title: DigiCert CA Decommissioning
# pubDate: April 1, 2019
# url: /implement/announcements/2019digicert/
# description: DigiCert Incorporated is planning on decommissioning several certification authorities (CAs) from the Federal PKI. These CAs are no longer active or required, and there is no expected impact from these changes.
# status: Removed
- title: DigiCert CA Decommissioning
pubDate: April 1, 2019
url: /implement/announcements/2019digicert/
description: DigiCert Incorporated is planning on decommissioning several certification authorities (CAs) from the Federal PKI. These CAs are no longer active or required, and there is no expected impact from these changes.
status: Removed

# - title: Removal of Health CAs from Federal PKI
# pubDate: March 5, 2019
# url: /implement/announcements/2019removal/
# description: Federal PKI teams recently performed two actions to remove fifty-nine (59) certification authorities (CAs) related to health IT use cases from the Federal PKI trust framework. This change is not a distrust action.
# status: Removed
- title: Removal of Health CAs from Federal PKI
pubDate: March 5, 2019
url: /implement/announcements/2019removal/
description: Federal PKI teams recently performed two actions to remove fifty-nine (59) certification authorities (CAs) related to health IT use cases from the Federal PKI trust framework. This change is not a distrust action.
status: Removed

# - title: Federal Common Policy CA Removal from Apple Trust Stores Impact
# pubDate: September 13, 2018
# url: implement/announcements/2018applepkichanges/
# description: This change will impact government users of Apple iOS, macOS, and tvOS, starting in **September 2018**. This change will cause government users to receive errors when encountering instances of a Federal PKI CA-issued certificate. You can mitigate the impact for government intranets and government-furnished equipment.
# status: Removed
- title: Federal Common Policy CA Removal from Apple Trust Stores Impact
pubDate: September 13, 2018
url: implement/announcements/2018applepkichanges/
description: This change will impact government users of Apple iOS, macOS, and tvOS, starting in **September 2018**. This change will cause government users to receive errors when encountering instances of a Federal PKI CA-issued certificate. You can mitigate the impact for government intranets and government-furnished equipment.
status: Removed

# - title: Chrome Certificate Transparency Requirements
# pubDate: August 10, 2018
# url: /implement/announcements/2018chromect/
# description: As of **July 24, 2018**, Google is now enforcing Certificate Transparency (CT) for Chrome 68 and above. This change could affect your agency. This means that all TLS/SSL certificates issued after **April 30, 2018**, that validate to a publicly trusted Root Certification Authority (CA) certificate must appear in a CT log in order to be trusted by Chrome 68 and above. Users browsing to non-CT compliant, federal intranet websites will encounter connection errors.
# status: Removed
- title: Chrome Certificate Transparency Requirements
pubDate: August 10, 2018
url: /implement/announcements/2018chromect/
description: As of **July 24, 2018**, Google is now enforcing Certificate Transparency (CT) for Chrome 68 and above. This change could affect your agency. This means that all TLS/SSL certificates issued after **April 30, 2018**, that validate to a publicly trusted Root Certification Authority (CA) certificate must appear in a CT log in order to be trusted by Chrome 68 and above. Users browsing to non-CT compliant, federal intranet websites will encounter connection errors.
status: Removed

# - title: Federal Common Policy CA Removal from Microsoft Trust Store Impact
# pubDate: May 18, 2018
# url: /implement/announcements/2018mspkichanges/
# description: This change will cause Windows users to receive errors when encountering instances of a Federal PKI CA-issued certificate. You can mitigate the impact for the government intranets and government-furnished equipment by using configuration management tools for federal devices.
# status: Removed
- title: Federal Common Policy CA Removal from Microsoft Trust Store Impact
pubDate: May 18, 2018
url: /implement/announcements/2018mspkichanges/
description: This change will cause Windows users to receive errors when encountering instances of a Federal PKI CA-issued certificate. You can mitigate the impact for the government intranets and government-furnished equipment by using configuration management tools for federal devices.
status: Removed

# - title: Chrome TLS Certificate Lifetime Requirement
# pubDate: May 10, 2018
# url: /implement/announcements/2018tlslifetime/
# description: Recent changes to Chrome could affect your agency. Chrome users may receive errors when browsing to government intranet websites and applications. Starting **March 1, 2018**, Chrome requires all TLS/SSL certificates to have a maximum lifetime of 825 days. You can mitigate the impact for government intranets, applications, and government-furnished equipment by using these procedures.
# status: Removed
- title: Chrome TLS Certificate Lifetime Requirement
pubDate: May 10, 2018
url: /implement/announcements/2018tlslifetime/
description: Recent changes to Chrome could affect your agency. Chrome users may receive errors when browsing to government intranet websites and applications. Starting **March 1, 2018**, Chrome requires all TLS/SSL certificates to have a maximum lifetime of 825 days. You can mitigate the impact for government intranets, applications, and government-furnished equipment by using these procedures.
status: Removed
48 changes: 48 additions & 0 deletions _implement/announcements/01_chrome_ballot_193.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
---
layout: page
title: Chrome TLS Certificate Lifetime Requirement
pubDate: 05/10/2018
archiveDate: 05/09/2019
removeDate: 05/09/2021
collection: implement
tag: Chrome
description: Starting March 1, 2018, Chrome requires all TLS/SSL certificates to have a maximum lifetime of 825 days. You can mitigate the impact for government intranets, applications, and government-furnished equipment by using these procedures.
sidenav: implement
sticky_sidenav: true
category: Removed

subnav:
- text: What Will Be Impacted?
href: '#what-will-be-impacted'
- text: What Other Browsers Enforce This Requirement?
href: '#what-other-browsers-enforce-this-requirement'
- text: What Should I Do?
href: '#what-should-i-do'
- text: Additional Resources
href: '#additional-resources'
---

{% include alert-warning.html content="This announcement has been archived and is hosted solely for historical reference. It is no longer being updated or maintained." %}


Recent changes to Chrome could affect your agency. Chrome now requires that TLS/SSL certificates issued on or after **March 1, 2018**, have a maximum lifetime of 825 days. Google is enforcing this change for Chrome as a result of the Certification Authority/Browser (CA/B) Forum's Ballot 193 to promote increased web security.<sup>[1](#1)</sup>

## What Will Be Impacted?
A government user will receive an "untrusted site" error when browsing to an intranet website or application if all of the following are true:

1. The intranet website's TLS/SSL certificate was issued by a Federal PKI Certification Authority
2. The TLS/SSL certificate was issued on or after March 1, 2018, with a lifetime greater than 825 days
3. Using the Chrome browser

![Chrome Error Screen]({{site.baseurl}}/img/google_ballot193_hot_topic_error.png){:style="width:70%;float:center;"}

## What Other Browsers Enforce This Requirement?
Chrome is the only browser currently enforcing this requirement for TLS/SSL certificates. If other browser vendors decide to enforce this requirement, we will post updates to this announcement. Please also check the [FPKI-Guides' Issues](https://github.com/GSA/fpki-guides/issues){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} for in-progress discussions.

## What Should I Do?
To prevent Chrome browsing errors:
1. Request that your PKI team or Federal Shared Service Provider update the certificate profiles for TLS/SSL device certificates issued by Federal PKI Certification Authorities to require a certificate lifetime of less than 825 days.
2. Re-issue and re-install new TLS/SSL certificates for the impacted intranet websites and applications.

## Additional Resources
<a name="1">1</a>. In March 2017, the [CA/B Forum](https://cabforum.org/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} passed [Ballot 193](https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, which introduced the 825-day maximum lifetime requirement.
Loading

0 comments on commit bfb4e3d

Please sign in to comment.