Apple strong-arms entire CA industry into one-year certificate lifespans

Apple, Google, and Mozilla reduce the lifespan for HTTPS certificates to 398 days, against the wishes of Certificate Authorities.
Following Apple’s initial announcement, Mozilla and Google have stated similar intentions to implement the same rule in their browsers.
Starting with September 1, 2020, browsers and devices from Apple, Google, and Mozilla will show errors for new TLS certificates that have a lifespan greater than 398 days
For IT Departments this means we need to invest into automation of the whole certificates process (CSR, install, renew, DH). No email work flows, no manual processes.
Usage of ACME with pre and post installation hooks, dns validation will become now finally mandatory
About upcoming limits on trusted certificates
In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates.
What’s changing
TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.
This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Additionally, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change.
Connections to TLS servers violating these new requirements will fail. This might cause network and app failures and prevent websites from loading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.