Apple - SSL/TLS trouble maker on September 1st, 2020?
Following CA/Browser Forum restrictions about improving security on the web, the international regulation of SSL certificates validity is changing. It is not a first time when maximum validity of certificate drops, but this time important early adopter of guidelines MAY shake your e-business/website.
Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates
Historically, there was no limit on certificate validity periods.
2012 release of the CA/Browser Forum Baseline Requirements set the maximum lifetime to 60 months with a requirement to reduce the lifetime to 39 months (~1185 days) in 2015.
In March 1st, 2018 CA/Browser Forum again reduced SSL/TLS certificate lifetimes from 39 months (~1185 days) to 27 months (stated as 825 days for computational ease).
This year, in February 2020, the Certificate Authorities have agreed to reduce the lifetime of an SSL certificate to 12 months maximum. This measure will take effect on September 1st, 2020.
Apple, CA/Browser Forum follower, adopts quickly
Change is in the air for security in Safari web browser. Starting September 1st, 2020, the maximum length of an SSL certificate accepted by Apple’s native web browser will be 398 days. Which is to say, HTTPS certificates that expire more than 13 months after their creation will no longer be accepted.
Safari will no longer display sites that don’t follow this new rule: an invalid certificate will cause a break in the HTTPS connection which will in turn entail an error message when trying to access the site in question. While the decision has not yet been put into effect, Google, via Chrome browser, had previously signaled last year that they would follow a similar decision.
Is Shorter Validity a Good Thing?
The theory says that the shorter an SSL/TLS leaf certificate’s validity period, the more secure the certificate is. We agree that shorter validity period (better) prevents Brute Force Cryptoanalytic Attacks. Updated CA/Browser Forum guidelines often force CAs to eliminate weak signature algorithms, forbid weak ciphers and enforce secure key lengths.
Validate your SSL/TLS certificate and issue new one when required
SSL/TLS leaf certificates used to have a maximum validity of five years (for domain and organization validated certificates). However, a compromise was ultimately struck that led to certificate validity being reduced to a maximum of three years, and then later, it was capped at two years for all SSL/TLS leaf certs. Now we should adopt to 12 months renewal periods. SSL cert offers with 12+ months of validity should not be considered anymore by buyers. Moreover: more developed CAs have already withdrawn 12M+ certs from their offers.
We encourage you to check your certificate details with Qualys SSL analyzer.
Prepare yourself in advance and avoid Apple devices restrictions!
Can you help?
Generally no, as it is a homework for your sysadmin and hosting provider. We are trying to help now by spreading a word and saving your (e-)business from troubles. Some hosting providers already contacted their customers and started to renew certificates with shorter validity/expiry date. You are in a good hands if you were mailed already.