Mastodawn

Apple's 398-day limit exempts private CAs. Most people stopped reading there.

There's a second Apple requirement: all TLS certs, 825 days max. Safari silently rejects anything longer. No bypass, no details.

https://www.certkit.io/blog/apple-doesnt-care-who-signed-your-certificate

#PrivatePKI #PKI

Apple doesn't care who signed your certificate

Running a private CA to escape the public cert treadmill makes sense. Apple still enforces an 825-day validity limit in Safari on every TLS certificate, no matter who issued it.

CertKit SSL Certificate Management