Maximum shelf life (a) certificates SSL / TLS has varied a lot in recent years, and every time changes have been made, the deadline was getting shorter.
Before 2011 maximum life of certificates TLS was between 8 and 10 years old, and after 2011, CA / Browser Forum (Certification Authority Browser Forum) to reduce it to 5 years.
Subsequently, in 2015, the maximum validity period TLS was reduced to 3 years, to reach a maximum of 2018 years in 2.
In the September 2019 election, the proposal to limit it to 1 year was rejected, despite the strong support of Google, Apple, Microsoft, Mozilla and Opera. However, in February 2020, Apple announced that starting with September 1, 2020, it will reject the new certificates TLS with a period of more than 398 days. Decision Apple was quickly adopted by Google, Mozilla and Microsoft.
Certificates issued before the date of implementation of this decision and "CA" root certificates will not be affected by this change even if their expiration date exceeds 398 days. At the time of their renewal, the maximum period must comply with the new requirements.
"Connections to servers TLS which violates these new requirements will fail", said Apple in a support document. In other words, a certificate TLS non-compliance will prevent the operation of applications, mail servers or websites on systems and applications developed by Apple.
In turn, Google has announced that it will mark with the error code "ERR_CERT_VALIDITY_TOO_LONG", The certificates that will not fall within the new validity limit and will treat them as being issued incorrectly.
Service providers SSL they started withdrawing the packages with a validity period of 2 years from the summer of this year, in order to avoid unpleasant surprises. The new certificates with a maximum period of 397 days, as recommended by those from Apple.
The decision to limit the life period for a certificate SSL / TLS, was taken for online security reasons. The shorter the validity period of a certificate, the shorter the risk that it will operate for a longer time and after it has been compromised.
Currently there are web addresses (websites) that although they have certificates SSL / TLS valid, are dangerous for visitors. They contain malware, adware or phishing programs. They remain marked as "safe" until they need to be renewed SSL.
Even worse is for smartphone users who use Firefox or Chrome to browse web pages. For performance reasons, Chrome and Firefox for mobile do not check certificates in real time SSL. Thus, users can access web pages whose certificates have been revoked without being warned.