Starting today, the lifespan of new TLS certificates will be limited to 398 days, a little over a year, from the previous maximum certificate lifetime of 27 months (825 days).
In a move that’s meant to boost security, Apple, Google, and Mozilla are set to reject publicly rooted digital certificates in their respective web browsers that expire more than 13 months (or 398 days) from their creation date.
The lifespan of SSL/TLS certificates has shrunk significantly over the last decade. In 2011, the Certification Authority Browser Forum (CA/Browser Forum), a consortium of certification authorities and vendors of browser software, imposed a limit of five years, bringing down the certificate validity period from 8-10 years.
Subsequently, in 2015, it was cut short to three years and to two years again in 2018.
Although the proposal to reduce certificate lifetimes to one year was shot down in a ballot last September, the measure has been overwhelmingly supported by the browser makers such as Apple, Google, Microsoft, Mozilla, and Opera.
Then in February this year, Apple became the first company to announce that it intends to reject new TLS certificates issued on or after September 1 that have a validity of more than 398 days. Since then, both Google and Mozilla have followed suit to enforce similar 398-day limits.
Certificates issued before the enforcement date won’t be impacted, neither those that have been issued from user-added or administrator-added Root certificate authorities (CAs).
“Connections to TLS servers violating these new requirements will fail,” Apple explained in a support document. “This might cause network and app failures and prevent websites from loading.”
For its part, Google intends to reject certificates that violate the validity clause with the error “ERR_CERT_VALIDITY_TOO_LONG” and treat them as misissued.
To avoid unintended consequences, Apple recommends that certificates be issued with a maximum validity of 397 days.
Why Shortent Certificate Lifespan?
Capping certificate lifetimes improve website security because it reduces the period in which compromised or bogus certificates can be exploited to mount phishing and malware attacks.
That’s not all. Mobile versions of Chrome and Firefox do not proactively check for certificate status due to performance constraints, causing websites with revoked certificates to load without giving any warning to the user.
For developers and site owners, the development is a good time to implement certificate automation using tools such as Let’s Encrypt and EFF’s CertBot, which offer an easy way to set up, issue, renew, and replace SSL certificates without manual intervention.
“Expired certificates continue to be a massive problem, costing companies millions of dollars due to outages every year,” said Chris Hickman, the chief security officer at Keyfactor. “On top of that, more frequent expired certificate warnings may result in web visitors becoming more comfortable bypassing the security warnings and error messages.”
“However, certificate subscribers frequently forget how or when to replace certificates, causing service outages from unexpected expiration […] leaving them ill-equipped to manage these new shorter life certificates at scale.”