New SSL certificate validity will be limited to one year starting September 1 New SSL certificate valid...

New SSL certificate validity will be limited to one year starting September 1


Apple announced their unilateral decision at a CA/Browser Forum meeting on Feb 19, 2019 that Apple’s Safari browser will no longer trust SSL/TLS leaf certificates with a validity of more than 398 days, which strong-armed Certificate Authority industry into bitterly accepting a new default lifespan of 398 days for TLS certificates. CA/Browser Forum is an industry body made up of Certificate Authorities (CAs), web browsers and operating systems.

Following Apple's initial announcement, Mozilla and Google have stated similar intentions to implement the same rule in their browsers. Starting with September 1, 2020, browsers and devices from Apple, Google, and Mozilla will show errors for new TLS certificates that have a lifespan greater than 398 days.

SSL Certificate

How long was the validity of SSL/TLS certificates?

The validity period of SSL/TLS certificates was sheared from 10 years down to 5 years. A compromise was ultimately struck that led to certificate validity being reduced to a maximum of three years, and then later on March 1, 2018, it was capped at two years for all SSL/TLS leaf certs.

Why the shorter lifespan?

The shorter lifespan of SSL certificates seems to be a nightmare for site administrators with the more frequent renewals. However, it shortens the time to organically roll out updates or changes. A real-world example would be the SHA1-to-SHA2 transition which took 3 years. With a 3 or 5 year validity, the old certificates with an outdated algorithm will not be replaced unless the CA revokes them or forces the customer to re-issue. It can take years before all of the old certificates are replaced.

What does this mean for your website and customer?

Beginning September 1st, Certificate Authorities will stop issuing 2-year SSL certificates and they will no longer be available for purchase. If you have a certificate issued prior to September 1, your validity period will not change and your SSL will stay valid. However, you will only be able to renew those certificates for one year once they expire.

* (Your email address will not be published.)