Apple reduces SSL/TLS certificates accepted lifespan to 1 year

Apple will not trust SSL of more than 1 year

What has Apple done

Apple has decided that they will no longer support TLS/SSL certificates that have a valid period of more than 1 year (398 days to be exact) as of 1st September 2020. This means that if, after that date, you order a certificate for your website that has a longer valid period then it will not be trusted on any Apple system, including iPhones, iPads, Apple computers, Safari, etc.
The policy that was unveiled at a Certificate Authority Browser Forum (CA/Browser) meeting on Wednesday (19/02/2020). Accordingly certificates issued after 1st September 2020 will not be trusted if they are longer than 1 year (398 days) but those that were issued before that date will still be honoured.

Why have they done this

The move by Apple to not trust certificates longer than the 398 days is a move to make internet users safer on their platforms. This means that website admins will need to change their certificates on a yearly basis. This has it benefits and drawbacks as it means that technical expertise will be needed more frequently and that there is more chance for expiry dates to be forgotten but it does mean that old forgotten certificates will expire quicker and certificates will be using the latest up-to-date cryptographic standards.
There has been a call for more moving to automated systems rather than manual certificates. Whilst we use automated systems or ACME (Automated Certificate Management Environment), specifically Let’s Encrypt and those systems are great for a certain type of site, it is still necessary to have the higher grade certificates for those who need them. In fact larger websites still use professional certificates with stronger encryption and authentication mechanisms in place. ACME certificates are great as a base level certificate in these days when a website will not be trusted at all if it doesn’t have a certificate, in fact if it doesn’t have a certificate most browsers will actively block access to it.

Digicert’s Dean Coclin issued a memo, here is an excerpt:

“At one time, certificates were offered with a maximum validity of three years. A few years ago, they were reduced to two years. Fast forward to this week’s Apple announcement, which ultimately does what ballot SC22 failed to do: reduce certificate lifetimes to one year.
Why did Apple unilaterally decide to enforce a shorter certificate lifetime? Their spokesperson said it was to “protect users.” We know from prior CA/B Forum discussions that longer certificate lifetimes proved to be challenging in replacing certificates, in the case of a major security incident. Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats. Short-lived certificates improve security because they reduce the window of exposure if a TLS certificate is compromised. They also help remediate normal operational churn within organizations by ensuring yearly updates to identity such as company names, addresses and active domains. As with any improvement, shortening of lifetimes should be balanced against the hardship required of certificate users to implement these changes.”

… “DigiCert agrees that shorter lifetimes help enhance the security of the ecosystem and has the tools necessary to help our customers automate the certificate lifecycle process. We support short-lived certificates, with lifetimes as short as a few hours for customers with advanced automation capabilities. Additionally, our CertCentral platform includes the ability to schedule and automate replacement of EV, OV and DV certificates. Using CertCentral admins may take advantage of continuous discovery, renewal notices, thorough API integration and documentation, as well as support for orchestration layers. CertCentral also allows for multi-year purchases to smooth planning and 24/7 global support enabling the best experience in the industry.
As certificate validity periods continue to decrease, automation will be a must for organizations’ ability to manage shorter lifetimes. DigiCert is prepared with the industry’s most advanced and reliable tools to help our customers take the necessary steps toward greater use of automation.”

Leave a Reply

Your email address will not be published. Required fields are marked *