Starting Sept. 1, Apple’s Safari browser will no longer trust SSL/TLS leaf certificates with validity of more than 398 days. (This is the equivalent of a one-year certificate plus the renewal grace period.) Other types of SSL/TLS certs, including intermediates and roots, are unaffected.
Other Web browser and operating system developers, such as Microsoft, Firefox, and Google, will also no longer consider 2-year TLS/SSL certificates issued on or after September 1st to be valid.
Apple announced their unilateral decision at a face-to-face meeting of the CA/Browser Forum (CA/B Forum) on Feb. 19, which is the industry standards group that consists primarily of certificate authorities and several of the major browsers.
The reasoning behind the lower validity period is primarily for security and to prevent unauthorized users from using certs for too long:
- Allows greater agility when phasing out certificates when vulnerabilities are discovered in encryption algorithms
- Limits a website’s exposure to compromise as private encryption keys would be changed regularly. If a private TLS certificate is stolen, a one-year validity will limit the amount of time that a threat actor could use.
- Prevents hosting providers or third parties from using a certificate for a long time after a domain is no longer used or has switched providers.
Safari is one of the internet’s two leading web browsers. W3Counter lists Safari’s browser market share at 17.7% as of January 2020. This falls behind only Google Chrome (58.2%) and ahead of Microsoft Internet Explorer and Edge (7.1%). So, as you can imagine, you want to ensure that your website — and your customers’ websites — are trusted by Safari.
What Site Admins Need to Know
Essentially, any SSL/TLS certificates issued prior to Sept. 1, 2020 are not affected by this change. They’ll remain valid (barring any unrelated certificate revocations) for the entire two-year period and won’t need to be modified or replaced. However, any certificates that are issued on or after Sept. 1 will need to be renewed every year to remain trusted by Safari.
What this means is that you’ll want to streamline and improve your existing certificate management practices. For larger organizations, in part, this entails using a reliable certificate management solution and no longer relying on manual cert management.
What Certificate Resellers Need to Know
In a nutshell, you can continue issuing two-year certificates until Aug. 31, 2020 that your customers can use until they expire. Any certificates that you issue after that date, however, would need to be issued with one-year validity to remain valid as far as Safari is concerned.
This means that any two-year certificates that you sell will need to be re-issued after one year in order to continue being trusted by the browser.
If you purchase an SSL or TLS certificate after September 1st, it will only be valid for 13 months or 397 days. Some SSL certificate providers, such as Sectigo and Digicert have already stopped issuing certificates with a 2-year validity
