The lifespan of new TLS/SSL certificates has been cut short to 398 days which is just a little over a year and will take effect today. The previous maximum lifetime was 825 days, about 27 months. This move is meant to improve security.
Apple, Google, and Mozilla are now rejecting publicly rooted digital certificates that have been created for more than 398 days in their respective web browsers.
There has been a considerable shrink in the lifespan of SSL/TLS certificates over the last 10 years. The Certification Authority Browser Forum (CA/Browser Forum), an association of certification authorities and browser software merchants established a limit of five years in the certificate validity in 2011.
Before this development, the validity period was from 8 to 10 years. Afterward, in 2015, it was limited to three years and again cut short to 2 years in 2018.
Last year September, there was a proposal for the reduction of certificate lifetime to 1 year which was voted against and eventually annulled.
However, reports show that browser makers like Apple, Google, Microsoft, Mozilla, and Opera intensely support the reduction measure.
In February, Apple announced its intention to reject new TLS certificates issued on or after September 1 and have a life span of over 398 days.
Although Apple was the first to make this decision, reports show that both Google and Mozilla have imitated them in the measure of the 398-day limit.
Certificates issued from user-added or administrator-added Root certificate authorities (CAs) will not be affected by this new measure, so also are certificates issued before the enforcement date.
Apple stated in a support document that connections to TLS servers that violate these new requirements will result in failure and might consequently result in in-network and app failure and also prevent websites from loading.
Google, on the other hand, has the intention of rejecting certificates that violate the clause of validity with the error “ERR_CERT_VALIDITY_TOO_LONG”.
In addition to this, some SSL certificate providers like Digicert and Sectigo have also stopped the issuance of certificates with a validity of two years.
Image Credit: Pixabay