Google Chrome to Join Apple’s Safari in One Year Certificate Validity
1 Star2 Stars3 Stars4 Stars5 Stars (9 votes, average: 5.00 out of 5)
Loading...

Google Chrome to Join Apple’s Safari in One Year Certificate Validity

One year validity for SSL/TLS certificates has been a hot topic of conversation within the CA/B Forum for years — Google’s latest announcement goes to show that shorter validity is absolutely happening

It’s no secret, Google has been championing shorter certificate validity within the CA/Browser Forum (CA/B Forum) for years. At the end of last week, a well-known voice within the forum posted on Twitter that the tech giant will be making the switch to a one year validity period of 398 days for SSL/TLS certificates starting Sept. 1. This might sound like a big move, but it doesn’t actually change anything because it was already happening.

Although their past efforts to push one year validity had previously failed, Google is ultimately getting what they want after Apple announced in February that they were leading the charge on this one. That made for a nice early birthday present for Google. But hey, it’s all for the greater good of security, right?

So, what does this actually mean to you as a website owner or administrator? Or as a certificate reseller?

Let’s hash it out.

For Most People, Google’s Move to One Year Validity Doesn’t Really Change Anything

On June 11, Dean Coclin, chair emeritus of the CA/B Forum, broke the news on Twitter that Google will be following Apple’s lead in limiting public SSL/TLS certificates starting Sept. 1:

Technically, we’re still waiting to read the minutes from the meeting. (They haven’t been posted yet because the meeting minutes have to be approved at the next meeting on June 18.)

The idea behind the move to one year validity is that certificates with shorter lifespans have to be issued more frequently, to make them more secure. And this is great, we’re all for more secure certificates. But on a granular level, what does this move by Google really mean to a website administrator/owner or an SSL/TLS certificate reseller?

In reality, not much. Despite how it may seem, not a lot has really changed for site admins.  

The reason we say that is that Google’s announcement is more of a formality than anything else. Basically, when we broke the news about Apple’s hushed announcement of their move to one year certificate validity back in February, we shared that their browser would only support certificates with shortened validity periods starting Sept. 1. We knew this move would instigate the other browsers to do the same, and it would force the world’s certificate authorities to start issuing certificates to comply. It was only a matter of time before everyone would have to fall in line.

And considering that Google Chrome and Safari are the world’s two leading web browsers in terms of market share, it’s no surprise that the other browsers will simply follow suit.

Screenshot of a web browser market share bar chart from W3Counter
Image source: W3Counter

This means that regardless of whether Google chose to make an announcement, the industry was already moving to one year validity by Sept. 1 at the latest.

So, If “Not Much Has Changed,” Why Are We Even Talking About This?

Well, even if nothing has truly changed from a 30,000-foot perspective, it’s still worth mentioning that Google is making the change official. (We also like to keep our readers in the loop about the changes that go on within the industry, so there’s that, too.) But this change doesn’t mean that life is going to suck for the people who handle certificates — let’s rehash how this move to one year validity will affect your organization.

How One Year Validity Affects Site Admins

Going from two year certificate validity to one year means that your certificate lifecycle is, essentially, cut in half. This means that there will be double the chance to miss an expiration and that you’ll need to prioritize security more than ever.

But it’s not all bad. As a website admin, this may mean that you’ll have more interaction with the site owner. This can serve as a touch point opportunity — you know, where you can gently remind the customer of your value or even sell them something new. Either way, it’s win-win opportunity for you.

If you’re both the site admin and owner, then this change means that you’ll simply have a little more busywork in terms of certificate management. The plus side, though, is that you’ll have greater confidence that you’re more secure because:

  • Your certificate keys are rotated more frequently
  • Your certificates have the most recent information
  • You don’t have to worry as much about things like hash algorithms being deprecated mid-lifecycle (and you not knowing it), resulting in your certificates no longer being valid

This also serves as an important reminder for our site admins: If you’re someone who wants to continue taking advantage of certificates with two-year certificate validity, you’d best get a move-on. Buy your certificates now so that, barring any revocations, they’ll be trusted by both Safari and Chrome for the next two years. Essentially, they’ll be grandfathered in come Sept. 1. But if you choose to wait to purchase your certificates until on or after Sept. 1, then you’re going to be limited to one-year validity.

SSL ‘Subcription’ Packages Offer Up to 5 Year Coverage

Of course, even after Sept. 1, you can still buy coverage for 1-, 2-, 3-, 4- or 5-year certificates through multi-year subscription plans. Commercial certificate authorities (CAs) like Sectigo and DigitCert are rolling out these plans prior to Sept. 1 to enable their customers to continue taking advantage of multi-year discounts. Basically, the more years you buy per certificate, the lower the cost will be per year. This saves you more money in the long run. However, the difference will be that you’ll have to re-issue your certificates each year. Sorry, there’s just no way around it.

Now’s a Great Time to Implement Certificate Automation

If you’re worried that managing hundreds or potentially thousands of certificates is going to be an issue for your organization, you have good reason. But there’s a silver lining: There are certificate lifecycle automation tools that you can use to keep everything straight regarding certificate issuance, expirations, revocations, and renewals.

Certificate Management Checklist

Manage Digital Certificates like a Boss

14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.

How One Year Validity Affects Certificate Providers

Basically, the message here to resellers is to just keep doing what you’re doing in terms of selling two year certs. That is, until Aug. 31 — after that, any certificates that you sell (starting Sept. 1) will need to be re-issued annually by your customers.

So, be sure to communicate the upcoming one year validity change to your customers so they can take advantage of the two year certs while they still have the chance. Otherwise, after Sept. 1, be sure to remind all of your customers of the one year expiration so that they can reissue their certificates before they expire (and you can avoid a bunch of angry phone calls or emails).

Basically, be proactive and helpful. Providing the best service to your customers also entails keeping them informed about the changes going on within the industry with regard to the browsers.

Final Thoughts

Google’s latest announcement, although it sounds major, it’s just one more step toward the inevitability of one year validation for SSL/TLS certificates. And since Apple cleared the way for them to do it with their ask-for-forgiveness-instead-of-permission approach, Google has clear passage to do what they’ve longed to do for several years. The only change is that they’ve now put their official stamp on it. Starting Sept. 1, 2020, public SSL/TLS certificates will only be issued with a one year validity period from all of the major certificate authorities. 

As always, leave any comments or questions below…

16 comments
  • Thanks for the article.
    Do you think they will go further and shorten the validity down to 6, then 3 months, and so on? If so, when are they going to call it a day?

    • Hi, Ivan! That’s a very good question. The move to one-year validity was already a bold but necessary move. While I don’t foresee the browsers moving toward a push for 9-, 6- or 3- month validity very soon, I wouldn’t be surprised if we see things eventually move in that direction in the future.

      Shorter validity periods will be easier to manage as automation solutions mature and are adopted more widely. Small businesses are also realizing that good website security includes more than just SSL, so we expect “all in one” security platforms (that can include SSL automation) to continue growing in popularity.

  • Has the ballot been voted at CA/B or is it just Apple and Google going their own way? Will CAs be bound to only offer certificates valid 1 year?

    • Hi, Marcello! Thanks for reaching out. Yes, the ballot was voted on last year at the CA/B Forum and ultimately failed (https://www.thesslstore.com/blog/ssl-certificates-one-year-max-validity-ballot-fails-at-the-ca-b-forum/). However, Apple set things in motion when they decided to move forward on their own back in February with their announcement. This paved the way toward Google making their move without the official blessing of the CA/B Forum.

      As far as I know, all CAs will stop issuing two year certificates by Sept. 1, 2020 to ensure all their certificates are trusted by the two largest web browsers — which, together, represent more than 77% of the overall browser market share.

  • If you buy 5 year certificate and you need to re-issue every year are we going to get every year some notification for re-issue and after 5 years certificate renew notification?

    • Hi, Zveky! Thank you for reaching out as well. Yes, provided you’re working with a good SSL provider, you should receive a notification that reminds you to re-issue your certificate. For example, The SSL Store’s customers will receive a reminder email each year that’s sent 30 days out from when their certs need to be re-issued. Additionally, those customers will receive notifications about their 5-year expiration as well 30 days ahead of when the certs are set to expire.

  • I don’t like the idea that Google can essentially dictate things like this. Google already has too much power and power corrupts absolutely. One of the original principles of Internet was that it was a distributed model and no one “owned” it. That seems to have fallen by the wayside, which is a loss for everyone.

  • Do you have any idea if there will be an official announcement from Google? Do you know if this will affect certificates issued by internal CAs? The Safari change only affects certificates issued by Public CAs and I need to know if Google is doing the same.

    • Hi, Bill! That’s the hope. We know when Apple made their announcement at the face-to-face CA/B Forum meeting back in February, it was a few weeks before they officially made an announcement about it (https://support.apple.com/en-us/HT211025). In their Safari-related announcement, they specified that it would affect only public SSL/TLS certs.

      So, the hope here would be that Google will follow suit and also make an announcement with more specific details as we get closer to Sept. 1. Stay tuned.

    • Hi, Mayuresh! We’re still waiting on more specific details. However, if they’re following Apple’s lead, then the change will likely only affect public SSL/TLS certificates.

  • What is frustrating here is Google has not announced anything and this is literally the only article I can find on this subject. I appreciate this article since otherwise I would have never known. Though, why does a social media post from members of the CA/B who are not directly showing as a representative of Google count as an announcement? Why is Google not making this change public knowledge with an official announcement?

    • Hi, David. The change is still a couple months out… so, hopefully, Google will make an official announcement with more details once we get closer to that date.

  • I agree with Andrew. Apple is horrible about thumbing their nose at the world and just doing what they want. Google is almost the same way now. Too bad they dropped the slogan “Don’t be evil.” As for the 1 year limit, it will cause a huge amount of work for some. I work for an hosting provider and this creates a TON of extra work. We don’t make money from certs because the customer sees prices so cheap on the internet and we can’t charge enough to pay the staff to install them. It’s still a fairly painful experience. It’s very hard to get customers to respond to notices about expiration. We could send message every day for 30 days and they still would let it expire and blame us for not telling them.

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Casey Crane

Casey Crane is a regular contributor to Hashed Out with 10+ years of experience in journalism and writing, including crime analysis and IT security. She also serves as the SEO Content Marketer at The SSL Store.