TLS / SSL certificates - A new validity limit imposed from September 2020

Maximum shelf life (a) SSL certificates / TLS has varied a lot in recent years, and every time changes have been made, the deadline was getting shorter.
Before 2011 maximum life of TLS certificates was between 8 and 10 years old, and after 2011, CA / Browser Forum (Certification Authority Browser Forum) to reduce it to 5 years.
Subsequently, in 2015, the maximum validity period of TLS was reduced to 3 years, so that in 2018 it reaches a maximum of 2 years.

In the September 2019 election, the proposal to limit it to 1 year was rejected, despite the strong support of Google, Apple, Microsoft, Mozilla and Opera. However, in February 2020, Apple announced that starting with September 1, 2020, it will reject the new TLS certificates with a period of more than 398 days. Decision Apple was quickly adopted by Google, Mozilla and Microsoft.

Certificates issued before the date of implementation of this decision and "CA" root certificates will not be affected by this change even if their expiration date exceeds 398 days. At the time of their renewal, the maximum period must comply with the new requirements.

"Connections to TLS servers that violate these new requirements will fail", said Apple in a support document. In other words, a non-compliant TLS certificate will prevent applications, mail servers, or websites from running on systems and applications developed by Apple.
In turn, Google has announced that it will mark with the error code "ERR_CERT_VALIDITY_TOO_LONG", The certificates that will not fall within the new validity limit and will treat them as being issued incorrectly.

SSL service providers they started withdrawing the packages with a validity period of 2 years from the summer of this year, in order to avoid unpleasant surprises. The new certificates with a maximum period of 397 days, as recommended by those from Apple.

The decision to limit the life period for a SSL certificate / TLS, was taken for online security reasons. The shorter the validity period of a certificate, the shorter the risk that it will operate for a longer time and after it has been compromised.
Currently there are web addresses (websites) that although they have valid SSL / TLS certificates, are dangerous for visitors. They contain malware, adware or phishing programs. They remain marked "safe" until they need to renew SSL.
Even worse is for smartphone users who use Firefox or Chrome to browse web pages. For performance reasons, Chrome and Firefox for mobile do not check SSL certificates in real time. Thus, users can access web pages whose certificates have been revoked without being warned.

TLS / SSL certificates - A new validity limit imposed from September 2020

About the author

Stealth

Passionate about everything that means gadget and IT, I am pleased to write on stealthsettings.com from 2006 and I love to discover new things about computers and macOS, Linux operating systems, Windows, iOS and Android.

Leave a Comment