Safari to Limit SSL/TLS Certificate Validity to One Year

On February 19th of this year, Apple made a fairly big announcement during a face-to-face meeting of the CA/Browser Forum (CA/B Forum). This forum is where the industry standards group convenes, and it consists mainly of certificate authorities as well as several of the major browsers.

Apple announced that on September 1, 2020, Safari, the default browser on Apple’s macos, as well as the browser on the iPhone, will no longer trust SSL/TLS leaf certificates with validity of more than 398 days (this number derives from 365 days plus the grace period commonly offered). Intermediate and root SSL/TLS certificates, along with some others, will be unaffected.

So what does this news actually mean and why is Apple doing this?

Shortening the validity of SSL/TLS certificates means that they will have to be renewed and implemented on websites more often. Theoretically, this improves a website’s security because new keys are being generated more often. Also, security updates made by certificate providers should be released at a quicker rate. Basically, the shorter the validity period of an SSL/TLS leaf certificate is, the more secure it should be.

This trend isn’t something new - certificate validity periods have been cut down in the past. They used to be valid for 5 years, but were reduced to 3 years, then to 2 years. The proposal for 1 year validity certificates was initially introduced by Google’s Ryan Sleevi at last year’s forum, but ultimately was shut down.

This change is driven by new services, like LetsEncrypt, which issue free certificates that expire after only a few months, coupled with software that automatically renews and redeploys those certificates. This provides a largely “set it and forget it” approach to SSL/TLS certificates, while also improving the underlying security.

One important thing for website owners and admins to note is that any SSL/TLS certificates issued prior to Sept. 1, 2020 are not affected by this change. Websites with these certificates will remain trusted by Safari for their entirety. Only certificates issued on or after Sept. 1 will need to be renewed each year to remain trusted.

The most important action for website owners and admins to consider is to revise their current operational plan regarding security and certificates to ensure everything is renewed and implemented properly each year. Some certificate providers have even started offering multi-year subscription plans for certificates. For example, these providers give website owners the option to purchase a longer subscription where the certificate would be automatically renewed each year. All that would need to be done is updating the SSL/TLS certificate as the old one expires.

Although Apple was the first to take the leap with changing the validity of SSL/TLS certificates to 1 year, it’s very likely the rest of the major browsers will be following this trend in the near future. Overall, this change does offer security benefits, and with the new subscription model certificate providers are starting to roll out, it shouldn’t cause website admins / owners any problems in the long term. That is, as long as they update their current security plans and procedures accordingly.

As always, if you have any questions about your current SSL/TLS situation and would like a bit more detail, just reach out to our team. We’d be more than happy to help. Cheers!