Enforce 398-day validity for certificates issued on-or-after 2020-09-01

Enforce publicly trusted TLS server certificates have a
lifetime of 398 days or less, if they are issued on or after
2020-09-01.

Certificates that violate this will be rejected with
ERR_CERT_VALIDITY_TOO_LONG and will be treated as misissued.

Bug: 1097982
Change-Id: I0fdccd93cc9fd0ee1011b37be7b584a8ce6653d9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2258372Reviewed-by: Eric Roman <eroman@chromium.org>
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#781465}

net/BUILD.gn

@@ -1867,6 +1867,9 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/2048-rsa-ee-by-prime256v1-ecdsa-intermediate.pem",
     "data/ssl/certificates/2048-rsa-intermediate.pem",
     "data/ssl/certificates/2048-rsa-root.pem",
+    "data/ssl/certificates/398_days_1_second_after_2020_09_01.pem",
+    "data/ssl/certificates/398_days_after_2020_09_01.pem",
+    "data/ssl/certificates/399_days_after_2020_09_01.pem",
     "data/ssl/certificates/39_months_after_2015_04.pem",
     "data/ssl/certificates/39_months_based_on_last_day.pem",
     "data/ssl/certificates/40_months_after_2015_04.pem",
@@ -1927,6 +1930,7 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/crlset_by_leaf_spki.raw",
     "data/ssl/certificates/crlset_by_leaf_subject_no_spki.raw",
     "data/ssl/certificates/crlset_by_root_serial.raw",
+    "data/ssl/certificates/crlset_by_root_spki.raw",
     "data/ssl/certificates/crlset_by_root_subject.raw",
     "data/ssl/certificates/crlset_by_root_subject_no_spki.raw",
     "data/ssl/certificates/crlset_known_interception_by_root.raw",

net/cert/cert_verify_proc.cc

@@ -935,6 +935,9 @@ bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) {
       base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1519862400);
   const base::Time time_2019_07_01 =
       base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1561939200);
+  // From Chrome Root Certificate Policy
+  const base::Time time_2020_09_01 =
+      base::Time::UnixEpoch() + base::TimeDelta::FromSeconds(1598918400);
 
   // Compute the maximally permissive interpretations, accounting for leap
   // years.
@@ -957,21 +960,27 @@ bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) {
     return true;
   }
 
-  // For certificates issued after the BR effective date of 1 July 2012: 60
-  // months.
+  // For certificates issued on-or-after the BR effective date of 1 July 2012:
+  // 60 months.
   if (start >= time_2012_07_01 && validity_duration > kSixtyMonths)
     return true;
 
-  // For certificates issued after 1 April 2015: 39 months.
+  // For certificates issued on-or-after 1 April 2015: 39 months.
   if (start >= time_2015_04_01 && validity_duration > kThirtyNineMonths)
     return true;
 
-  // For certificates issued after 1 March 2018: 825 days.
+  // For certificates issued on-or-after 1 March 2018: 825 days.
   if (start >= time_2018_03_01 &&
       validity_duration > base::TimeDelta::FromDays(825)) {
     return true;
   }
 
+  // For certificates issued on-or-after 1 September 2020: 398 days.
+  if (start >= time_2020_09_01 &&
+      validity_duration > base::TimeDelta::FromDays(398)) {
+    return true;
+  }
+
   return false;
 }
 

net/cert/cert_verify_proc_unittest.cc

@@ -1499,6 +1499,9 @@ TEST(CertVerifyProcTest, TestHasTooLongValidity) {
       {"826_days_after_2018_03_01.pem", true},
       {"825_days_1_second_after_2018_03_01.pem", true},
       {"39_months_based_on_last_day.pem", false},
+      {"398_days_after_2020_09_01.pem", false},
+      {"399_days_after_2020_09_01.pem", true},
+      {"398_days_1_second_after_2020_09_01.pem", true},
   };
 
   base::FilePath certs_dir = GetTestCertsDirectory();

net/data/ssl/certificates/398_days_1_second_after_2020_09_01.pem

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            ef:2f:0a:6a:75:56:1e:b1:0b:03:50:df:7c:9a:63:bb
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
+        Validity
+            Not Before: Sep  2 00:00:00 2020 GMT
+            Not After : Oct  5 00:00:01 2021 GMT
+        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:a0:5a:8e:f1:48:37:d4:3a:96:e6:c1:b5:20:88:
+                    16:f4:a5:80:cb:72:18:0c:db:c0:26:9f:75:8a:c1:
+                    58:3a:a9:9c:05:fe:f4:9c:92:7f:2e:59:ec:97:77:
+                    ca:87:43:0a:05:4a:d3:a6:af:67:f7:c1:9a:f3:7e:
+                    92:86:ed:c9:3e:89:b4:fa:be:c8:a7:6c:b5:02:a0:
+                    b5:02:f1:83:41:18:d6:86:29:c8:b1:be:16:e0:15:
+                    49:2e:bf:d0:a0:65:b9:05:4b:52:f0:be:88:a4:30:
+                    b1:73:f3:aa:69:65:80:99:ad:14:62:13:bc:7b:52:
+                    93:fe:91:4f:8a:b1:4c:d3:52:ac:77:7c:92:02:fc:
+                    34:c7:15:10:a8:70:f1:77:ec:0d:c7:5b:53:df:49:
+                    1f:be:59:a0:93:45:4b:eb:71:c2:ba:8f:0c:43:73:
+                    96:5c:f4:96:bd:ed:cd:8c:18:79:db:18:ef:29:5e:
+                    d9:78:80:c4:92:ec:6b:e1:19:19:83:c3:4e:bb:08:
+                    1c:5d:8e:a4:10:24:48:fe:69:f5:d2:01:ef:a5:59:
+                    ce:de:2f:b4:20:f4:83:b3:ef:e0:e8:af:09:69:dc:
+                    09:70:79:9b:3b:60:f6:6f:32:71:93:7a:29:9a:f3:
+                    e1:54:5f:9c:5a:41:33:2a:f9:29:ec:db:83:45:9d:
+                    4f:59
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                70:97:92:9D:2A:18:0D:AD:5F:DE:86:29:A0:44:DF:0B:3E:41:A4:D5
+            X509v3 Authority Key Identifier: 
+                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         80:fe:bc:f5:9a:97:cf:a2:26:63:e5:4a:4a:53:71:bc:40:e2:
+         a5:30:21:28:f8:0e:12:b1:00:bc:ab:c8:50:8b:a7:fc:15:ef:
+         3c:57:ef:92:90:ff:89:42:42:34:6d:00:ff:d6:0a:a8:89:0b:
+         c9:cf:fb:15:6a:6c:ab:c0:18:05:68:e5:a1:ef:d4:20:55:0c:
+         4f:84:da:f7:df:29:4a:69:c9:8f:1c:c8:a6:c9:ca:a0:86:bc:
+         c4:4d:96:0f:62:63:4b:ea:85:8d:fa:5a:2b:7e:4e:1f:4a:60:
+         ed:8a:cc:f4:0f:6d:56:2f:ce:18:56:54:c3:1f:09:39:d2:62:
+         63:75:11:3f:70:6f:cc:af:cb:c4:52:c7:1f:19:5f:ce:24:5b:
+         f8:54:c8:25:78:a8:51:eb:f9:26:41:e1:f0:a1:29:ec:fc:8c:
+         aa:ed:2c:fd:49:28:ff:ad:2a:ea:87:83:cf:02:ac:1b:2d:a1:
+         e7:0e:51:59:8f:62:ab:95:f1:b4:f2:9f:62:a7:04:b2:13:a8:
+         ae:41:88:b5:1c:0c:cf:5a:f3:a7:41:d2:9c:88:4d:50:54:14:
+         c3:58:c1:10:93:49:33:21:ff:00:41:0c:71:7e:00:ab:44:35:
+         ea:c1:c4:1c:76:a1:3a:09:21:35:8b:45:13:ba:9a:58:a0:e6:
+         8f:1e:55:94
+-----BEGIN CERTIFICATE-----
+MIIDzzCCAregAwIBAgIRAO8vCmp1Vh6xCwNQ33yaY7swDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMDA5MDIwMDAwMDBaFw0yMTEwMDUwMDAwMDFaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgWo7xSDfUOpbmwbUgiBb0pYDLchgM28Am
+n3WKwVg6qZwF/vSckn8uWeyXd8qHQwoFStOmr2f3wZrzfpKG7ck+ibT6vsinbLUC
+oLUC8YNBGNaGKcixvhbgFUkuv9CgZbkFS1LwvoikMLFz86ppZYCZrRRiE7x7UpP+
+kU+KsUzTUqx3fJIC/DTHFRCocPF37A3HW1PfSR++WaCTRUvrccK6jwxDc5Zc9Ja9
+7c2MGHnbGO8pXtl4gMSS7GvhGRmDw067CBxdjqQQJEj+afXSAe+lWc7eL7Qg9IOz
+7+Dorwlp3AlweZs7YPZvMnGTeima8+FUX5xaQTMq+Sns24NFnU9ZAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRwl5KdKhgNrV/ehimgRN8LPkGk1TAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAgP689ZqXz6ImY+VKSlNxvEDipTAhKPgOErEAvKvIUIun/BXvPFfvkpD/iUJC
+NG0A/9YKqIkLyc/7FWpsq8AYBWjloe/UIFUMT4Ta998pSmnJjxzIpsnKoIa8xE2W
+D2JjS+qFjfpaK35OH0pg7YrM9A9tVi/OGFZUwx8JOdJiY3URP3BvzK/LxFLHHxlf
+ziRb+FTIJXioUev5JkHh8KEp7PyMqu0s/Uko/60q6oeDzwKsGy2h5w5RWY9iq5Xx
+tPKfYqcEshOorkGItRwMz1rzp0HSnIhNUFQUw1jBEJNJMyH/AEEMcX4Aq0Q16sHE
+HHahOgkhNYtFE7qaWKDmjx5VlA==
+-----END CERTIFICATE-----

net/data/ssl/certificates/398_days_after_2020_09_01.pem

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            ef:2f:0a:6a:75:56:1e:b1:0b:03:50:df:7c:9a:63:ba
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
+        Validity
+            Not Before: Sep  2 00:00:00 2020 GMT
+            Not After : Oct  5 00:00:00 2021 GMT
+        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:d3:41:3d:2b:88:60:a1:04:75:8f:26:22:b0:55:
+                    52:26:fd:78:db:f4:f8:c4:89:d7:f2:b2:77:85:02:
+                    25:4a:48:08:1d:e0:1c:df:90:29:9a:fa:94:ca:c5:
+                    51:ee:49:72:35:70:e0:40:f8:4f:7f:e3:97:68:9f:
+                    2d:1f:68:b6:1c:e6:29:02:cc:3d:ca:31:3f:e1:a5:
+                    70:30:40:f0:b0:4f:ed:21:5f:17:b8:49:30:bc:aa:
+                    d4:0a:11:d5:85:b6:2d:91:f4:19:f5:1d:29:94:83:
+                    08:ec:fc:03:fc:b1:f1:24:87:35:14:ab:9c:57:ae:
+                    f5:a2:f5:74:24:23:93:2d:aa:10:4d:8b:3d:7f:26:
+                    66:88:3a:a0:a3:7f:d6:e8:35:d5:6f:9c:46:5f:77:
+                    d5:e2:6f:59:cf:d0:ac:d2:09:b1:11:5f:62:83:c7:
+                    f7:57:22:37:20:68:eb:29:ec:da:d2:d9:2a:99:a9:
+                    56:c3:f7:62:89:f2:43:b4:e8:48:4b:ba:af:2e:81:
+                    29:5b:e0:1c:a4:b0:11:f9:8a:38:3e:8a:02:5d:6e:
+                    0a:01:c7:ee:da:db:25:b7:b2:49:ad:b3:63:42:7c:
+                    a6:d3:0d:3c:bb:4b:86:ba:be:45:fc:03:18:2a:8d:
+                    57:81:57:0c:21:14:c3:cb:4c:db:8b:ee:d5:ce:7a:
+                    5c:a7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                13:0F:2C:60:16:93:D8:1D:23:A3:72:5F:53:88:02:23:C9:2A:6B:CF
+            X509v3 Authority Key Identifier: 
+                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         bf:48:b6:5d:1e:6e:bb:ff:65:33:c3:39:ab:82:8e:54:b1:ff:
+         b5:58:41:fb:91:27:a5:61:d8:0c:cc:97:62:31:4f:f7:61:a2:
+         91:ba:16:ed:73:08:7f:75:be:b5:6e:50:79:c3:a0:73:1b:4d:
+         a1:85:cc:48:54:5c:27:1e:03:96:a8:1e:65:2e:0f:7c:9d:78:
+         30:84:db:46:ec:48:53:26:b8:8f:ee:89:9c:c9:f2:c1:92:ce:
+         f6:fc:0f:c8:bc:6f:e0:ce:83:a8:85:7d:19:c3:07:f1:31:c0:
+         5f:f9:d0:4c:90:89:59:69:3e:54:69:eb:15:52:3d:9e:b9:71:
+         14:d4:a6:20:e0:d6:de:2b:b7:04:43:85:54:a7:42:d6:ca:00:
+         b4:57:68:93:65:6c:36:90:3f:5c:23:23:e3:7a:62:36:92:8f:
+         e7:37:0e:65:0b:71:fe:72:ed:8c:d3:da:bd:98:66:01:e6:4d:
+         91:11:ab:e5:f1:c8:79:66:8e:27:f9:e0:60:49:fc:86:ed:95:
+         36:9a:15:ca:84:d4:d4:69:1c:c2:d5:c7:30:ac:7e:f1:97:49:
+         ec:8e:39:ab:3c:58:2e:2f:21:13:f8:ee:a5:00:49:ca:88:7a:
+         8b:e7:b9:5d:37:92:5c:b8:8d:8e:27:84:01:1f:14:6c:33:11:
+         4b:cd:9a:e0
+-----BEGIN CERTIFICATE-----
+MIIDzzCCAregAwIBAgIRAO8vCmp1Vh6xCwNQ33yaY7owDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMDA5MDIwMDAwMDBaFw0yMTEwMDUwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTQT0riGChBHWPJiKwVVIm/Xjb9PjEidfy
+sneFAiVKSAgd4BzfkCma+pTKxVHuSXI1cOBA+E9/45dony0faLYc5ikCzD3KMT/h
+pXAwQPCwT+0hXxe4STC8qtQKEdWFti2R9Bn1HSmUgwjs/AP8sfEkhzUUq5xXrvWi
+9XQkI5MtqhBNiz1/JmaIOqCjf9boNdVvnEZfd9Xib1nP0KzSCbERX2KDx/dXIjcg
+aOsp7NrS2SqZqVbD92KJ8kO06EhLuq8ugSlb4ByksBH5ijg+igJdbgoBx+7a2yW3
+skmts2NCfKbTDTy7S4a6vkX8AxgqjVeBVwwhFMPLTNuL7tXOelynAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQTDyxgFpPYHSOjcl9TiAIjySprzzAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAv0i2XR5uu/9lM8M5q4KOVLH/tVhB+5EnpWHYDMyXYjFP92GikboW7XMIf3W+
+tW5QecOgcxtNoYXMSFRcJx4DlqgeZS4PfJ14MITbRuxIUya4j+6JnMnywZLO9vwP
+yLxv4M6DqIV9GcMH8THAX/nQTJCJWWk+VGnrFVI9nrlxFNSmIODW3iu3BEOFVKdC
+1soAtFdok2VsNpA/XCMj43piNpKP5zcOZQtx/nLtjNPavZhmAeZNkRGr5fHIeWaO
+J/ngYEn8hu2VNpoVyoTU1GkcwtXHMKx+8ZdJ7I45qzxYLi8hE/jupQBJyoh6i+e5
+XTeSXLiNjieEAR8UbDMRS82a4A==
+-----END CERTIFICATE-----

net/data/ssl/certificates/399_days_after_2020_09_01.pem

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            ef:2f:0a:6a:75:56:1e:b1:0b:03:50:df:7c:9a:63:b9
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
+        Validity
+            Not Before: Sep  2 00:00:00 2020 GMT
+            Not After : Oct  6 00:00:00 2021 GMT
+        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:c5:26:15:5a:01:bc:a6:ca:fe:e3:aa:f1:02:b3:
+                    0d:f9:2f:0c:53:18:0b:b2:e1:8e:3b:e4:eb:bf:ff:
+                    d3:90:40:7f:3c:f2:9c:c7:4d:c0:e5:7f:b2:8d:79:
+                    e8:d9:c6:79:f4:2b:29:40:a7:5d:27:52:b7:d0:ed:
+                    b6:aa:21:32:fd:57:27:6a:30:bb:bc:11:46:38:83:
+                    5c:f4:ec:db:6c:99:29:5d:38:e0:41:e3:ae:fe:81:
+                    5c:1e:53:51:95:55:e9:e6:e3:e6:20:52:40:c5:c7:
+                    c7:18:96:08:96:66:fb:a6:3b:8a:8a:c1:b6:88:c9:
+                    90:1b:42:fd:b2:1d:68:10:8f:f9:4e:94:df:31:4c:
+                    36:b9:70:ff:82:7c:5a:84:9e:51:91:1e:8d:e7:23:
+                    3a:7a:a3:65:6d:f8:b7:0a:87:1e:a5:78:04:2c:a8:
+                    1c:f7:ed:a8:fd:f4:36:52:97:6c:f1:de:59:66:6e:
+                    97:52:30:c8:60:59:ed:1a:5a:51:23:bc:83:9e:72:
+                    b1:50:35:cd:a6:66:bf:ef:07:d4:f0:f4:ef:38:e5:
+                    0d:5d:d4:74:51:ca:5c:96:2f:e4:24:59:61:f6:cd:
+                    ac:f9:1b:bd:62:2b:f3:7d:3e:db:6d:04:49:a4:e1:
+                    c1:72:59:3c:95:49:36:87:ba:57:ac:de:cd:f6:90:
+                    49:09
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                1A:11:83:6D:87:2A:09:79:38:65:B2:89:81:B1:F5:26:46:33:82:62
+            X509v3 Authority Key Identifier: 
+                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         15:c0:67:79:e4:03:8d:38:8b:ca:57:ff:1e:fd:d6:2b:1e:0e:
+         ed:9d:6a:c7:16:53:36:f7:ce:eb:8d:36:79:a1:b6:59:d8:d0:
+         bb:35:96:53:57:59:ad:91:39:f9:70:36:ac:37:9f:75:40:a3:
+         3b:be:59:ed:32:4e:c4:a7:a9:3b:79:4d:8c:0c:3d:ba:6f:98:
+         3e:3a:ff:28:19:fd:a2:d2:12:41:75:4a:1f:b0:22:0b:51:28:
+         4d:9e:bd:e9:f3:67:b3:11:ef:9b:01:cb:c1:01:b1:6b:71:d2:
+         68:a7:29:33:41:9a:3f:7b:ae:45:67:8f:a8:97:65:21:85:93:
+         b9:db:1b:46:bd:c9:46:23:71:27:1b:9a:aa:58:b7:7b:a1:2d:
+         8c:27:65:75:9b:be:56:c5:bb:50:0c:62:ce:93:47:90:aa:db:
+         47:c4:80:c5:43:f7:89:6b:b0:ea:a1:91:d5:2f:89:f8:d7:05:
+         56:60:18:3c:c1:4a:bf:93:df:76:0a:ff:9f:b5:30:da:10:1a:
+         15:94:f0:5a:82:11:ef:26:27:1c:50:1d:8b:c6:19:01:e4:01:
+         48:22:c0:b9:97:12:58:4b:f1:61:7d:a9:69:d8:70:83:54:af:
+         39:9e:fc:9b:17:f5:b1:69:cd:3e:b5:ba:13:df:e6:fd:71:9d:
+         d2:ef:95:1c
+-----BEGIN CERTIFICATE-----
+MIIDzzCCAregAwIBAgIRAO8vCmp1Vh6xCwNQ33yaY7kwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMDA5MDIwMDAwMDBaFw0yMTEwMDYwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFJhVaAbymyv7jqvECsw35LwxTGAuy4Y47
+5Ou//9OQQH888pzHTcDlf7KNeejZxnn0KylAp10nUrfQ7baqITL9VydqMLu8EUY4
+g1z07NtsmSldOOBB467+gVweU1GVVenm4+YgUkDFx8cYlgiWZvumO4qKwbaIyZAb
+Qv2yHWgQj/lOlN8xTDa5cP+CfFqEnlGRHo3nIzp6o2Vt+LcKhx6leAQsqBz37aj9
+9DZSl2zx3llmbpdSMMhgWe0aWlEjvIOecrFQNc2mZr/vB9Tw9O845Q1d1HRRylyW
+L+QkWWH2zaz5G71iK/N9PtttBEmk4cFyWTyVSTaHules3s32kEkJAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQaEYNthyoJeThlsomBsfUmRjOCYjAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAFcBneeQDjTiLylf/Hv3WKx4O7Z1qxxZTNvfO6402eaG2WdjQuzWWU1dZrZE5
++XA2rDefdUCjO75Z7TJOxKepO3lNjAw9um+YPjr/KBn9otISQXVKH7AiC1EoTZ69
+6fNnsxHvmwHLwQGxa3HSaKcpM0GaP3uuRWePqJdlIYWTudsbRr3JRiNxJxuaqli3
+e6EtjCdldZu+VsW7UAxizpNHkKrbR8SAxUP3iWuw6qGR1S+J+NcFVmAYPMFKv5Pf
+dgr/n7Uw2hAaFZTwWoIR7yYnHFAdi8YZAeQBSCLAuZcSWEvxYX2padhwg1SvOZ78
+mxf1sWnNPrW6E9/m/XGd0u+VHA==
+-----END CERTIFICATE-----

net/data/ssl/scripts/generate-test-certs.sh

@@ -16,7 +16,7 @@ set -e -x
 # The current built-in verifier max lifetime is 39 months
 # The current OS verifier max lifetime is 825 days, which comes from
 #   iOS 13/macOS 10.15 - https://support.apple.com/en-us/HT210176
-# 731 is used here as just a short-hand for 2 years
+# 730 is used here as just a short-hand for 2 years
 CERT_LIFETIME=730
 
 rm -rf out
@@ -461,6 +461,44 @@ CA_NAME="req_ca_dn" \
     -out ../certificates/pre_june_2016.pem \
     -config ca.cnf
 
+# Issued after 2020-09-01, lifetime == 399 days (bad)
+openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out out/399_days_after_2020_09_01.req
+CA_NAME="req_ca_dn" \
+  openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 200902000000Z \
+    -enddate   211006000000Z \
+    -in out/399_days_after_2020_09_01.req \
+    -out ../certificates/399_days_after_2020_09_01.pem \
+    -config ca.cnf
+# Issued after 2020-09-01, lifetime == 398 days (good)
+openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out out/398_days_after_2020_09_01.req
+CA_NAME="req_ca_dn" \
+  openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 200902000000Z \
+    -enddate   211005000000Z \
+    -in out/398_days_after_2020_09_01.req \
+    -out ../certificates/398_days_after_2020_09_01.pem \
+    -config ca.cnf
+# Issued after 2020-09-01, lifetime == 825 days and one second (bad)
+openssl req -config ../scripts/ee.cnf \
+  -newkey rsa:2048 -text -out out/398_days_1_second_after_2020_09_01.req
+CA_NAME="req_ca_dn" \
+  openssl ca \
+    -batch \
+    -extensions user_cert \
+    -startdate 200902000000Z \
+    -enddate   211005000001Z \
+    -in out/398_days_1_second_after_2020_09_01.req \
+    -out ../certificates/398_days_1_second_after_2020_09_01.pem \
+    -config ca.cnf
+
+
 # Issued after 1 June 2016 (Symantec CT Enforcement Date)
 openssl req -config ../scripts/ee.cnf \
   -newkey rsa:2048 -text -out out/post_june_2016.req