The lifespan of SSL certificates has always been a hot topic. Initially set at 5 years for Domain Validation and Business Validation certificates, the SSL validity was first reduced to 4 years during the migration from SHA-1 to SHA-256 hash algorithm. Then, in 2015, it was capped at three years, and finally, in 2018, reduced to merely 27 months. Now, the SSL certificate validity has come into the spotlight again.
At a recent CA/Browser Forum, Apple unilaterally announced that starting September 1, its Safari browser will no longer trust SSL/TLS certificates with the validity of more than 398 days. The change affects public leaf certificates only, with other certificate types, including intermediates remaining intact.
Apple’s decision to reduce certificate validity didn’t take the SSL industry by surprise. The transition to shorter validity certificates has been coming for some time, with Google also advocating for the change. In August 2019, Google introduced CA/B Forum Ballot SC22, the first official attempt to shorten the lifespan of SSL/TLS certificate to one year.
The CAs examined the proposal with their customers, but, after continuous deliberation, the ballot didn’t pass. Most users opposed the shorter validity due to extra configuration work required by the IT teams.
The failed ballot didn’t stop Apple from taking the matter in their own hands and enforce the new one-year SSL/TLS validity. In an official update on their website, Apple mentioned their “ongoing efforts to improve web security for our users” as the reason behind the shorter certificate life cycle. One-year SSL certs further reduce the window of exposure from relentless cyber-attacks by ensuring that new keys are being generated regularly.
While Apple’s Safari is the first browser to limit the SSL certs’ validity to one year, the likes of Google and Firefox will soon follow suit. With 17.7% market share, Safari is the second most popular browser behind Chrome only.
Apple’s new one-year SSL Certificate validity at a glance
Here’s what you should know about the upcoming, shorter SSL/TLS lifespan:
- SSL/TLS certificates issued on or after September 1, 2020, 00:00 GMT/UTC must not have a validity period greater than 398 days to work on Safari.
- All SSL certificates issued before September 1, 2020 are not affected by this change. They will remain valid for their full lifetimes (2 or 3 years)
What should website owners do?
The calculations are simple. All certs bought after September 1 will last you a single year. If you’re a large organization, you’ll need to streamline your certificate management practices and use automation solutions for renewals. For individuals, any certificates issued after September 1 will need to be renewed every year to remain trusted by Safari.
With several months remaining until the one-year SSL certificate validity takes effect, now is the perfect time to get an SSL certificate with a 2 or 3-year duration. Likewise, if your SSL certificate expires in less than a year, consider renewing it for another 2 or 3 years before September 1 to benefit from a longer validity.