I tried posting in the Help section but the message template required lots of things I don't have. I'll try here instead.
When installing the root certificates on iOS 16 using the linked self-signed pem files on the /certificates page, iOS shows different expiry dates compared to those listed in the "Validity" field on the page.
Since I'm not very knowledgeable about certificates I'm assuming that I'm misinterpreting what I'm seeing and wondering how I should think about this? My initial reaction was "that's not expected".
"Förfaller" menas "expires" in the following images:
Welcome to the Let's Encrypt Community, @Dalaheistar!
I edited your post to show your screenshots.
Note that Root CAs don’t have expiration dates in quite the same way that other certificates do. Although their self-signed certificates do contain a notAfter date, Root Programs and Trust Stores may decide to trust a Root CA beyond that date, or terminate trust in it before that date. As such, the end-of-validity dates given below are approximate, based on current Root Program policies.
Thanks for the quoted section @griffin, and thanks for the welcome!
I'm aware it looks a bit weird that the answer appears to be in the paragraph immediately above my screenshot-quote, so I thought I'd at least mention that I did read that paragraph. However, I was under the impression that what iOS presented me with was not "this is some number we just made up" but instead that they presented me with "this is what the file actually contains that you just selected", which, from my perspective, is what's actually useful when deciding whether to install or not install (i.e. when I'm trying to confirm that no mistakes were made).
I guess that the question that Apple is practically asking here, i.e. "Hey there! Here's an arbitrary value -- does it look correct to you?", seemed quite nonsensical, and I did not assume it. Now I've learned to dismiss the validity/expiration field when trying to confirm that I've selected the correct certificate. Thanks!
You're not the first person to be concerned by the phrasing on that page. I think it might be helpful if the page specifically called out the notAfter date embedded in the self-signed certificates, as well as the expected end-of-validity for root programs.
Judging from what has been said so far I conclude that I also misunderstood which value was the arbitrary one, and that Apple actually presented me with the value present in the file (?) My mind was so set on that the Let's Encrypt page was simply listing the concrete facts about the certificate (and that Apple was providing the unpredictable "Root Programs and Trust Stores") that I missed the meaning of the words "the end-of-validity dates given below are approximate" even after reading them several times. In my head, the third parties were always supposed to be the approximate ones! (I read the words as: "the dates below are exact, but approximate in relation to dates presented in other programs")
Expectations can really turn you (me) blind.
Please tell me I didn't get it wrong again.
Anyway, I think that page in general did an unusually good job of explaining things clearly to me, including diagrams, test pages and everything else, and with useful and straightforward download links. It was just this one thing that confused me.
