SSL Certificates


The validity period of new TLS certificates have been shortened to 398 days (a little over a year), from the previous maximum certificate lifespan of 825 days (2 years and 3 months).

While the Certification Authority Browser Forum (CA/Browser Forum), which is a consortium of certification authorities and browser vendors, had initially imposed a limit of five years in 2011, resulting the reduction of certificate validity period from 8 to 10 years; and subsequently, it was reduced further to three years and two years in 2015/2018 respectively.

Now, the new move to shortened it to 398 days is meant to boost internet security, with Apple, Google, and Mozilla now set to reject public digital certificates in their respective web browsers once its 398 days from their original creation date.

Why Capping Certificate validity improve security?



Generally, the capping of certificate validity period helps to improve website security as it minimizes the chances of compromised or bogus sites exploiting such certificates to carry out malware attacks.

And especially for web development, it is now ideal to implement a certificate automation using tools like EFF's CertBot or Let's Encrypt, which makes it easy to set up, renew, and replace SSL certificates without any manual intervention. Also, as Chrome and Firefox mobile versions don't automatically check for certificate status because of performance constraints, it causes websites with revoked certificates to continue to load without any warning to users.

However, those certificates that were issued before the date of enforcement won't be impacted, or those that have already been issued from administrator-added or user-added Root certificate authorities (CAs).

How the Browser vendors are gearing up for the Enforcement



Google has planned to begin the treat certificates that violate the validity clause as misissued, and accompanied with error message "ERR_CERT_VALIDITY_TOO_LONG". And some SSL certificate providers like Sectigo and Digicert have stopped issuing certificates with two-year validity.

Apple, on its part, recommends that certificates should be issued with a maximum validity of 397 days, and that connections to TLS servers violating the new requirements will fail, thus causing network and app failures and prevent sites from loading.

New SSL/TLS Certificates Lifespan: Why Capping Certificate validity improve security?

SSL Certificates


The validity period of new TLS certificates have been shortened to 398 days (a little over a year), from the previous maximum certificate lifespan of 825 days (2 years and 3 months).

While the Certification Authority Browser Forum (CA/Browser Forum), which is a consortium of certification authorities and browser vendors, had initially imposed a limit of five years in 2011, resulting the reduction of certificate validity period from 8 to 10 years; and subsequently, it was reduced further to three years and two years in 2015/2018 respectively.

Now, the new move to shortened it to 398 days is meant to boost internet security, with Apple, Google, and Mozilla now set to reject public digital certificates in their respective web browsers once its 398 days from their original creation date.

Why Capping Certificate validity improve security?



Generally, the capping of certificate validity period helps to improve website security as it minimizes the chances of compromised or bogus sites exploiting such certificates to carry out malware attacks.

And especially for web development, it is now ideal to implement a certificate automation using tools like EFF's CertBot or Let's Encrypt, which makes it easy to set up, renew, and replace SSL certificates without any manual intervention. Also, as Chrome and Firefox mobile versions don't automatically check for certificate status because of performance constraints, it causes websites with revoked certificates to continue to load without any warning to users.

However, those certificates that were issued before the date of enforcement won't be impacted, or those that have already been issued from administrator-added or user-added Root certificate authorities (CAs).

How the Browser vendors are gearing up for the Enforcement



Google has planned to begin the treat certificates that violate the validity clause as misissued, and accompanied with error message "ERR_CERT_VALIDITY_TOO_LONG". And some SSL certificate providers like Sectigo and Digicert have stopped issuing certificates with two-year validity.

Apple, on its part, recommends that certificates should be issued with a maximum validity of 397 days, and that connections to TLS servers violating the new requirements will fail, thus causing network and app failures and prevent sites from loading.

No comments