diff --git a/cert.go b/cert.go
index 4ce36ccf..4b763360 100644
--- a/cert.go
+++ b/cert.go
@@ -56,10 +56,10 @@ func (m *mkcert) makeCert(hosts []string) {
 	fatalIfErr(err, "failed to generate certificate key")
 	pub := priv.(crypto.Signer).Public()
 
-	// Certificates last for 2 years and 3 months, which is always less than
-	// 825 days, the limit that macOS/iOS apply to all certificates,
-	// including custom roots. See https://support.apple.com/en-us/HT210176.
-	expiration := time.Now().AddDate(2, 3, 0)
+	// Certificates last for 1 year and 1 month, which is always less than
+	// 398 days, the limit will be effective after March 15 2026.
+	// See https://github.com/cabforum/servercert/blob/main/docs/BR.md#421-performing-identification-and-authentication-functions.
+	expiration := time.Now().AddDate(1, 1, 0)
 
 	tpl := &x509.Certificate{
 		SerialNumber: randomSerialNumber(),
@@ -225,7 +225,7 @@ func (m *mkcert) makeCertFromCSR() {
 	fatalIfErr(err, "failed to parse the CSR")
 	fatalIfErr(csr.CheckSignature(), "invalid CSR signature")
 
-	expiration := time.Now().AddDate(2, 3, 0)
+	expiration := time.Now().AddDate(1, 1, 0)
 	tpl := &x509.Certificate{
 		SerialNumber:    randomSerialNumber(),
 		Subject:         csr.Subject,