Apple announced this week that the maximum lifetime of SSL / TLS certificates on its devices and Safari browser would be limited to 398 days (1 year, and 1 month to cover the renewal period). The change, announced by Apple at the CA / Browser Forum meeting in Bratislava, Slovakia, will take effect for certificates issued after August 31, 2020.
Apple’s announcement follows a failure of the CA / B Forum’s vote on one-year certificates (Bulletin SC22), which was held in August 2019, and reflects a continuing trend to shorten lifespan certificates. Following this vote, Google had also expressed its intention to reduce certificate lifetime outside the framework of the CA / B forum if they do not position themselves quickly. This announcement is a bit of a surprise, we would rather have thought that Google or Mozilla would take the first step.
What are the consequences for companies and their SSL / TLS certificates?
Is shorter validity a good thing?
The shorter the validity period of a certificate, the more secure the certificate. By requiring replacement of certificates over a shorter period of time, security updates are made to certificates, they deploy faster. The shorter private key lifetime of a certificate is also a strong recommendation from online security players to limit the potential duration of fraud following a compromise.
From a security perspective, everyone agrees that reducing the life of certificates is a good thing. The problem lies on the operational side with the consequences of this reduction being: more frequent intervention on certificates, therefore greater complexity in keeping an up to date inventory and the need for optimal organization with partners for certificate issuance.
Should Apple’s announcement be taken into account?
Safari is one of the two main web browsers, with 17.7% in January 2020, behind Google Chrome (58.2%) and ahead of Microsoft Internet Explorer and Edge (7.1%). It is difficult to ignore the announcement as it will affect 1/5 of Internet users, what is more is that if Google does follow, it is better to anticipate and prepare. Nameshield’s has already adopted this stance.
Things to keep in mind
Certificates issued before September 1, 2020 are not affected by this change. They will remain valid for the entire two-year period. All certificates issued on or after September 1 must be renewed each year to be considered reliable by Safari.
We must therefore prepare to move towards having certificates with a maximum duration of one year compared to the current two years. Being able to rely on a partner and effective tools is more essential than ever.
Towards the end of the correlation between authentication and technical certificate management
What seems to be taking shape within the CA / B Forum is the idea of allowing an authentication duration identical to that which we know today (two years) while forcing the certificates to be replaced several times during this same period.
The main Certification Authorities, the bodies that issue certificates, anticipate these changes and are working on several automation systems to manage certificate life cycle. They would thus limit the need to go through a potentially cumbersome re-authentication procedure with each replacement. Companies could replace their certificates as many times as they want during this period. This would make it possible to anticipate possible further reductions in the maximum lifetime of certificates.
The trend is also towards the installation of automation tools for the maintenance of a precise inventory of certificates on the one hand and technical reinstallation on the other. Nameshield is closely monitoring these various developments and will allow you to continue working with confidence.
Our team is also at your disposal to anticipate these changes and answer any questions you may have.