Capping the validity period of TLS/SSL certificates | What will change
In the future, SSL / TLS certificates will only be valid for one year. For website operators, shortening the validity period means more effort, for users and CAs more security.
Published by
Simone Catania
Date
From September 1 this year, SSL / TLS certificates can be issued for a maximum period of 13 months (397 days), i.e. one year with a maximum extension. What seems complex at first glance, serves the security of website visitors and has immense advantages for the CAs behind the SSL certificates.
Why is the term of SSL / TLS certificates being shortened?
There are two main advantages of shortening the validity of SSL / TLS certificates:
1. One technical advantage of the shorter SSL / TLS certificate term is that updates or changes can be implemented faster. The change in the secure hash algorithm serves as a negative example at this point: The transition from SHA1 to SHA2 took three years, as the certificates did not have to be reissued due to the long validity of the certificates. If the CA or the reseller does not want to revoke valid certificates one by one and force the customer to reissue them, updates and changes have to wait until all of the affected certificates have expired.
2. A security-relevant advantage of the shorter term of SSL / TLS certificates is related to the specified and verified data behind the certificate: If a certificate is only valid for one year, the identity behind the certificate will be re-checked in the following year, and not just after two or even three years. Shorter validation intervals ensure more security on the net.
The turning point in the SSL / TLS market: The trend towards shorter validity periods
The validity of SSL / TLS certificates has changed over and over again in recent years. Before 2015, you could have an SSL / TLS certificate issued for up to five years. Then came the turnaround in the SSL market: the five years turned into three in 2018 and later shrunk down to two years. In August 2018, Google suggested shortening the term to one year. At the end of 2019, however, the proposal was initially rejected by the majority of the CA/B forum (Certification Authority / Browser Forum).
With the announcement by Apple in March of this year that from September 1, 2020 only certificates with a maximum validity of 397 days would be classified as secure in their own Safari browser, it was agreed that the validity period of one year plus the maximum extension would become the new standard.
At the end of June, Google announced that it would align the changes with its own root program. The changes in Apple’s Safari that result from the shortened SSL validity and how users react to it will only become apparent in the coming months.
In addition, we will explain what authorizes the browser to decide on the duration of SSL certificates.
Decision on the part of the browser operators
CAs and browsers are interdependent: Browsers use the certificates to assess the trustworthiness of websites and to make the connections made more secure. CAs benefit from displaying certificates in the browsers. Otherwise website visitors could not see the level of website security, potentially reducing user confidence.
The process associated with the certificates is handled via root programs. The four most important are Microsoft, Apple, Mozilla and Google. These names are not only known in the area of root programs: these four operators are also behind the most widely used web browsers on desktop and mobile devices.
In order for the certificates to be classified as trustworthy, the CAs must adhere to the guidelines of the root program and thus also to those of the browser operator. This is ensured by the CA/B forum, whose task it is to make changes to the root programs easier and to enable uniform guidelines.
Safari has specified the SSL validity reduction
The change to only mark certificates with a validity of one year as secure was first announced by Apple for its Safari browser at this year’s CA/B forum.In this case, the root program Apple, which participates in the CA/B forum with Safari as its browser, has made a change that has become a basic requirement for all root programs. The reason for the acceptance of the change by the entire CA/B forum is the required interoperability of root programs and browsers.
What are the implications of shorter validity periods for website operators?
Nothing will change for website operators who purchased their SSL certificates before September 1, 2020 or still want to purchase them. The certificates remain valid until the expiry date. Only an extension for a further two years will no longer be possible. The two-year certificates will therefore remain valid, but there will no longer be new issues after September 1, 2020.
In the future, however, when SSL / TLS certificates will only be issued with a validity of one year, website operators will be forced to invest more time and money to ensure the correct integration of SSL / TLS certificates.
In return, online data traffic will become more secure, user trust in SSL-secured sites and traffic will increase – a calculation that pays off for website operators. Find the right SSL / TLS certificates for your projects now.