{"id":796,"date":"2020-06-29T08:47:56","date_gmt":"2020-06-29T06:47:56","guid":{"rendered":"https:\/\/bretterhofer.at\/blog\/?p=796"},"modified":"2020-06-29T17:59:54","modified_gmt":"2020-06-29T15:59:54","slug":"apple-strong-arms-entire-ca-industry-into-one-year-certificate-lifespans","status":"publish","type":"post","link":"https:\/\/bretterhofer.at\/blog\/2020\/06\/apple-strong-arms-entire-ca-industry-into-one-year-certificate-lifespans\/","title":{"rendered":"Apple strong-arms entire CA industry into one-year certificate lifespans"},"content":{"rendered":"<div data-contents=\"true\">\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"a89v6-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"a89v6-0-0\"><span data-offset-key=\"a89v6-0-0\">\u00a0<\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"5rakc-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"5rakc-0-0\"><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"dhr1j-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"dhr1j-0-0\"><span data-offset-key=\"dhr1j-0-0\">Apple, Google, and Mozilla reduce the lifespan for HTTPS certificates to 398 days, against the wishes of Certificate Authorities.<\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"2i53d-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"2i53d-0-0\"><span data-offset-key=\"2i53d-0-0\">Following <\/span><span class=\"yj-editor--link-entity\"><span data-offset-key=\"2i53d-1-0\">Apple&#8217;s initial announcement<\/span><\/span><span data-offset-key=\"2i53d-2-0\">, <\/span><span class=\"yj-editor--link-entity\"><span data-offset-key=\"2i53d-3-0\">Mozilla<\/span><\/span><span data-offset-key=\"2i53d-4-0\"> and <\/span><span class=\"yj-editor--link-entity\"><span data-offset-key=\"2i53d-5-0\">Google<\/span><\/span><span data-offset-key=\"2i53d-6-0\"> have stated similar intentions to implement the same rule in their browsers.<\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"3h6h-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"3h6h-0-0\"><span data-offset-key=\"3h6h-0-0\">Starting with September 1, 2020, browsers and devices from<\/span><span data-offset-key=\"3h6h-0-1\"> Apple, Google, and Mozilla will show errors for new TLS certificates that have a lifespan greater than 398 days<\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"32rnm-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"32rnm-0-0\"><a href=\"https:\/\/github.com\/mozilla\/pkipolicy\/issues\/204\"><span class=\"yj-editor--link-entity\"><span data-offset-key=\"32rnm-0-0\">https:\/\/github.com\/mozilla\/pkipolicy\/issues\/204<\/span><\/span><\/a><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"kv2a-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"kv2a-0-0\"><a href=\"https:\/\/chromium.googlesource.com\/chromium\/src\/+\/ae4d6809912f8171b23f6aa43c6a4e8e627de784\"><span class=\"yj-editor--link-entity\"><span data-offset-key=\"kv2a-0-0\">https:\/\/chromium.googlesource.com\/chromium\/src\/+\/ae4d6809912f8171b23f6aa43c6a4e8e627de784<\/span><\/span><\/a><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"9h131-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"9h131-0-0\"><a href=\"https:\/\/support.apple.com\/en-us\/HT211025\"><span class=\"yj-editor--link-entity\"><span data-offset-key=\"9h131-0-0\">https:\/\/support.apple.com\/en-us\/HT211025<\/span><\/span><\/a><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"equ04-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"equ04-0-0\"><span class=\"yj-editor--link-entity\"><span data-offset-key=\"equ04-1-0\">https:\/\/www.zdnet.com\/article\/apple-strong-arms-entire-ca-industry-into-one-year-certificate-lifespans\/<\/span><\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"93jfu-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"93jfu-0-0\"><span data-offset-key=\"93jfu-0-0\">\u00a0<\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"1qenm-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"1qenm-0-0\"><span data-offset-key=\"1qenm-0-0\">For IT Departments this means we need to invest into automation of the whole certificates process (CSR, install, renew, DH). No email work flows, no manual processes. <\/span><\/div>\n<div data-offset-key=\"1qenm-0-0\">Usage of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Automated_Certificate_Management_Environment\">ACME<\/a> with pre and post installation hooks, dns validation will become now finally mandatory<\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"8spp8-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"8spp8-0-0\"><span data-offset-key=\"8spp8-0-0\">\u00a0<\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"575qr-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"575qr-0-0\"><span data-offset-key=\"575qr-0-0\">About upcoming limits on trusted certificates<\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"88n07-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"88n07-0-0\"><span data-offset-key=\"88n07-0-0\">In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates.<\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"40tm1-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"40tm1-0-0\"><span data-offset-key=\"40tm1-0-0\">What&#8217;s changing<\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"ec99o-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"ec99o-0-0\"><span data-offset-key=\"ec99o-0-0\">TLS server certificates issued on or after September 1, 2020 00:00 GMT\/UTC must not have a validity period greater than 398 days.<\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"3cu7u-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"3cu7u-0-0\"><span data-offset-key=\"3cu7u-0-0\">This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Additionally, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change.<\/span><\/div>\n<\/div>\n<div class=\"\" data-block=\"true\" data-editor=\"63a7f\" data-offset-key=\"b4q1f-0-0\">\n<div class=\"public-DraftStyleDefault-block public-DraftStyleDefault-ltr\" data-offset-key=\"b4q1f-0-0\"><span data-offset-key=\"b4q1f-0-0\">Connections to TLS servers violating these new requirements will fail. This might cause network and app failures and prevent websites from loading.<\/span><\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0 Apple, Google, and Mozilla reduce the lifespan for HTTPS certificates to 398 days, against the wishes of Certificate Authorities. Following Apple&#8217;s initial announcement, Mozilla<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[34,35,30,18],"tags":[],"jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/bretterhofer.at\/blog\/wp-json\/wp\/v2\/posts\/796"}],"collection":[{"href":"https:\/\/bretterhofer.at\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bretterhofer.at\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bretterhofer.at\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bretterhofer.at\/blog\/wp-json\/wp\/v2\/comments?post=796"}],"version-history":[{"count":1,"href":"https:\/\/bretterhofer.at\/blog\/wp-json\/wp\/v2\/posts\/796\/revisions"}],"predecessor-version":[{"id":797,"href":"https:\/\/bretterhofer.at\/blog\/wp-json\/wp\/v2\/posts\/796\/revisions\/797"}],"wp:attachment":[{"href":"https:\/\/bretterhofer.at\/blog\/wp-json\/wp\/v2\/media?parent=796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bretterhofer.at\/blog\/wp-json\/wp\/v2\/categories?post=796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bretterhofer.at\/blog\/wp-json\/wp\/v2\/tags?post=796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}