Goodbye SSL/TLS Certificate 2 Years Maximum Validity
In February 2020, Apple has announced groundbreaking news to the SSL/TLS certificate industry during a face-to-face meeting of the Certification Authority Browser Forum (CA/Browser Forum). It has independently declared that starting 1 September 2020, the Safari browser on all of its iPhone and Mac operating systems will no longer trust SSL/TLS leaf certificates with a validity period of more than 398 days, equivalent to a one-year certificate plus the renewal grace period. In other words, any leaf certificate issued after the said date, with a validity period of more than one year, will be classified by Safari browser as an untrusted certificate. Other types of SSL/TLS certs, including intermediates and roots, are unaffected.
An Expected Development
The news comes as no surprise as SSL/TLS certificates’ lifespan has been reduced every now and then throughout the past decade. The validity period of certificates is on a reducing trend, with the most recent reduction to one year, happening soon after 1 September 2020.
Just over a decade ago, SSL certificate providers were selling certificates that spanned between 8 and 10 years. In 2011, the Certification Authority Browser Forum (CA/Browser Forum) was established, which consists of all the certificate authorities (CAs) and big browser makers. They determined that the 8 to 10 years validity period was just too long, and decided to cut it down to 5 years. The same thing happened in 2015, and the validity period was cut down to 3 years. In 2018, it was cut further down to 2 years. Now, Apple is pushing for 1-year certificates by making changes to its Safari browser. Below is what you can expect for this latest development.
All the major browser makers have for years lobbied to shorten the validity period at the CA/B Forum, especially Apple and Google. They have constantly raised ballots for forum members to cast votes to reduce the term. Last year August, Google’s Ryan Sleevi introduced a ballot at the CA/B Forum that pushed for a maximum one-year validity for SSL/TLS certificates. However, citing concerns and comments from users, which are mostly in objection, most of the major certificate authorities (CAs) downvoted in the ballot and the issue was put on hold. With no concrete decision, Apple has announced in February this year of its unilateral decision to implement the 1-year certificate for its Safari browser.
A Shorter Validity Certificate Has Its Good and Bad
The idea behind a shorter-term SSL/TLS leaf certificate is that the shorter the validity period, the more secure it is. The purpose behind this approach is the browser makers want to make sure that web developers are always using the latest SSL certificate encryption standard and technology. It can be achieved when SSL certificates expire in a shorter time, and they need to be frequently updated more by web developers. Doing so will help browser makers to increase web security for users’ safety.
It also reduces the risks whereby old or neglected SSL certificates are exploited by hackers to perform phishing or malware attacks. Old certificates might be using an encryption technology that was powerful three years ago but is now broken by hackers. That is just how fast things move in the cybersecurity industry. Browser makers are well-aware of this and therefore firmly push for a shorter validity period for SSL certificates. The approach is also believed to be able to effectively reduce the timeframe in which hackers can use to explore how to exploit a certificate. It also makes it less likely in the future that old certificates using retired encryption are still used by web developers and end up being exploited. Through this approach, SSL certificates with new keys will be generated regularly to keep hackers at bay and as a result, reduce their exploitability.
However, with shorter SSL certificate validity period, comes more workload for the web developers or website owners who are managing them. They will be required to increase the frequency of certificate replacement tasks, and it might take up a lot of time if they are managing up to hundreds or even a thousand certificates. The hassle factor is indeed there, which is why many users are against this implementation. It increases their cost and overhead, and it is also prone to more human mistakes and errors due to increased workload and confusion.
How Will This Change Affect Website Owners and Customers?
Safari is the second leading web browser, with a 14.4% market share, as shown in the image below:
With an approximate 4.5 billion Internet users around the world, 14.4% equals to roughly 650 million users who are using Safari browsers. Website owners will definitely want to ensure that their websites are trusted by Safari, or risk losing their precious traffic when the privacy error shows up on Safari. Website owners are expected to become more occupied in renewing their SSL certificates on a yearly basis to ensure an excellent customer experience. Website admins will be expected to streamline their existing certificate management practice in order to adapt to this new implementation on Safari. Large organisations with a large number of SSL certificates will be searching for a reliable and automated certificate management solution to reduce manual management and errors.
How Will This Change Certificate Resellers?
For a starter, you can still issue two-year SSL certificates up to 31 August 2020 for your customers to use until they expire. After the said date, it is recommended to issue one-year SSL certificates only, as far as Safari browser is concerned. You can of course still issue two-year certs, but you need to ensure you have a good certificate management solution to keep track of all the two-year certs you previously issued and renew them after one year to continue being trusted by Safari browser.
Certificate Authorities Are Prepared
With all that said, you can still feel at ease, as the leading CAs have early anticipated this development and respectively prepared solutions for it. They have put in place new platforms and certificate lifecycle management solutions and subscription plans to help SSL certificate resellers to adapt to this change. New options and implementation of SSL certificates are ready for web masters to purchase coverage for a more extended period. DigiCert has prepared DigiCert® CertCentral TLS Manager, and Sectigo has developed Sectigo Certificate Manager.
With new platforms and solutions in place, SSL certificate resellers can gain more flexibility in offering automation, multi-year plans and discounts for their customers which sign up for SSL certificates for a longer period. Automation will help to ease the workload in managing their customers. Here are some of the benefits of this approach:
1. Resellers can help their customers to save cost by offering a multi-year price discount.
2. Resellers can help customers to only purchase once without having to worry about it anymore.
It is believed that the change will be a win-win for both parties with the introduction of the new automation solution.
In conclusion, we believe it is only a matter of time before all other major browsers follow in Apple’s footstep. A 1-year certificate is definitely the new common soon. Once any one of the major browser makers does so, CAs know perfectly well they definitely need to change their certificates to a 1-year validity period, as the browser makers are equivalent to the web’s gatekeepers and they hold all the cards. CAs can only follow suit.
However, we are not worried and you should not be, too! CAs are well-prepared and have put in place new platforms and solutions to help manage SSL certificates. We believe it will be a relatively smooth and straightforward transition, and everyone will get to enjoy greater website security and an enhanced certificate management experience.
WebNIC is proud to announce that we now offer DigiCert CertCentral TLS Manager service, which we believe will benefit you greatly. If you have any inquiries, feel free to email us at [email protected] for more info.
WebNIC is an accredited registrar for ICANN, and various countries including Asia, Europe, America, Australasia, and Africa. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000+ active resellers over 70 countries. To join us and become a reseller, live chat with us or email us at [email protected].