Several months ago, there was an industry-wide debate over the ideal length of validity for SSL/TLS certificates. It was a fairly intense debate that ultimately ended with the Certificate Authorities voting down Google’s ballot to reduce maximum validity to a single year at the CAB Forum.
Last week at the Face to Face CAB Forum Meeting in Bratislava, Slovakia, Apple announced its intention to restrict SSL/TLS validity to just 398 days (one year, plus roughly one month to be used to better facilitate renewals).
There’s a little bit to unpack here, and we felt it would be beneficial to discuss it on a more personal level in terms that will make sense to the greater business community
You Don’t Need to Replace Your SSL/TLS Certificates
The impact of this decision will not hit consumers until September 1, 2020. At that point, any SSL/TLS certificate issued can be valid no longer than 398 days – otherwise it will be distrusted by Apple’s Mac OS and iOS systems, which means for all Safari users. Further, given its previously stated desires to reduce certificate validity, both Google and Mozilla will also move forward with this change and likely observe the same deadlines.
What that means for you is that as of September 1, there is effectively no two-year certificate option if you want your website to work for Apple users. You will also need to replace or rotate certificates more frequently than in the past.
It’s important to mention – what you won’t have to do is scramble to get a new certificate BEFORE September 1. The SSL/TLS certificates that have been validly issued today will remain valid until their expiry date. Once you renew, you’ll need to move to a single year certificate.
So pay no mind to anyone that tells you to replace your certificate now.
And Then There Was One…Year
The browsers have long stated that they prefer shorter validity periods for publicly trusted certificates. Shorter certificate validity, in theory, means improved security in terms of both reduced exposure to threats to private key compromise, and more frequent identity verification in the event changes to SSL identity – such as organization names, addresses and active domains – occur.
Keep in mind, the number one stated goal of these browsers is to protect their users. And misuse of publicly trusted certificates can pose significant threats. Remember, at one point, max validity was five years. Then three. Then two. Now one. Eventually it could reduce to as little as 90 days – possibly even 30 – but this reduction is being driven almost entirely by the browsers.
Why Did the Previous CAB Forum Ballot Fail?
The last ballot primarily failed on account of timing. GlobalSign, along with several other CAs, went directly to its customers and sought their feedback. The appetite for shorter validity just wasn’t there on account of a number of different factors.
The Google ballot sought to implement the change by April 1, less than six months from the date of the vote, which just wasn’t enough time. So, a request was made to set a date out 12-18 months in the future giving everyone ample time to prepare for the changes.
It appears Apple decided to split the difference and aim for September.
What is GlobalSign’s Position on Short Certificate Validity?
At GlobalSign, we put our customers and partners first – that’s the case for every decision we make. At the same time, we actively seek to improve the internet and make it a more secure place to socialize and do business.
Shorter validity may be better for security, although the browsers have not provided a concrete list of the security issues and severity of using two-year certificates. With a proper security analysis of the two-year vulnerabilities and a more reasonable timeline for these changes, GlobalSign would support the move down to one-year certificates. But whereas the browsers have a specific focus that is germane to what they do – as Certificate Authorities we have one, too. And we need to ensure that our customers are in an optimal position for this change. That’s why GlobalSign is prepared to work closely with any organization looking to streamline and improve their certificate lifecycle management to better align with the incoming browser mandates on validity.
For over 15 years GlobalSign has been a leader in the PKI space, and despite the unorthodox way this initiative has been introduced, we plan to continue guiding the web towards greater automation and more agile certificate management solutions. If you have any questions or would like to find out how we can make more frequent certificate rotation painless for you – drop us a line.