Certificate Depot

Guides

Home › Guides › Validity period

How Long Should a Self-Signed Certificate Be Valid?

Why 398 days is the public-CA ceiling, why self-signed certs aren't bound by it, and what validity period you should actually pick.

When generating a self-signed cert, you set how long it's valid. Different tools default to different values: OpenSSL is 30 days, Let's Encrypt is 90 days, enterprise CAs used to issue for 10+ years. Here's how to think about it.

The 398-day browser limit

Since September 2020, Apple, Chrome, and Mozilla reject publicly-trusted SSL certificates valid for more than 398 days. This was a CA/Browser Forum policy change aimed at forcing faster rotation after incidents where CAs kept issuing problematic certs for years.

This limit applies to certificates chained to a browser-trusted root — in other words, Let's Encrypt, DigiCert, Sectigo, etc. It does not apply to certificates in a private trust chain, like self-signed certs or your own internal CA.

Self-signed certs can be any duration

Technically, you could issue a self-signed cert valid for 100 years. The browser-limit logic only kicks in for publicly-trusted chains. For dev and internal use, the duration you pick is entirely a tradeoff:

Practical defaults

Local development on your laptop: 1–5 years

Set it and forget it. The private key sits on your development machine and rarely leaves it.

Internal tools / internal CA: 90 days to 1 year

Short enough to build rotation hygiene, long enough that you're not rotating weekly.

CI/CD or ephemeral test environments: 30–90 days

Matches the rotation cadence of the infrastructure it lives on.

Certificate authority root (your own internal CA): 10–20 years

Rotating a root is painful. Pick a long duration and protect the private key in a vault.

What browsers will accept from self-signed sources

A self-signed cert valid for 10 years is technically fine. But if a user decides to "trust" a 10-year cert in their OS, they're granting that cert authority for 10 years. Consider what happens if the server holding the private key is compromised in year 3.

For maximum safety, 1 year is a good ceiling. Renew annually with a script.

Reading the validity period of an existing cert

Use our PEM decoder, or:

openssl x509 -in cert.pem -noout -dates

Output:

notBefore=Apr  1 12:00:00 2026 GMT
notAfter=Apr  1 12:00:00 2027 GMT
Need a self-signed certificate? Use our free generator — browser-compatible SANs, RSA or ECDSA, ZIP or PFX. No signup, no ads, keys never stored.

Further Reading