{"id":12093,"date":"2020-02-20T14:16:16","date_gmt":"2020-02-20T19:16:16","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=12093"},"modified":"2020-08-24T14:58:58","modified_gmt":"2020-08-24T18:58:58","slug":"ssl-certificate-validity-will-be-limited-to-one-year-by-apples-safari-browser","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/ssl-certificate-validity-will-be-limited-to-one-year-by-apples-safari-browser\/","title":{"rendered":"SSL Certificate Validity Will Be Limited to One Year by Apple\u2019s Safari Browser"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Starting Sept. 1, Safari will no longer trust SSL\/TLS certificates with\nvalidity periods longer than 398 days<\/h2>\n\n\n\n<p>Starting Sept. 1, Apple&#8217;s Safari browser will no longer trust SSL\/TLS leaf certificates with validity of more than 398 days. (This is the equivalent of a one-year certificate plus the renewal grace period.) Other types of SSL\/TLS certs, including intermediates and roots, are unaffected. <\/p>\n\n\n\n<p>Apple announced their unilateral decision at a face-to-face meeting of the CA\/Browser Forum (CA\/B Forum) on Feb. 19, which is the industry standards group that consists primarily of <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-certificate-authority-ca-and-what-do-they-do\/\">certificate authorities<\/a> and several of the major browsers. <\/p>\n\n\n\n<p>While there\u2019s been no formal posting anywhere that we\u2019ve\nfound by Apple about this change, we were able to verify this information with\nsome of our CA partners who were in the meeting. The good news is that this\nchange doesn\u2019t really come as a surprise, and the SSL industry is ready for it \u2014\nso there won\u2019t be any major impacts to customers or service providers.<\/p>\n\n\n\n<p>So, what exactly has transpired here? And, more importantly,\nwhat does this all mean for you, the user or seller of SSL\/TLS certificates? <\/p>\n\n\n\n<p>Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h2 class=\"wp-block-heading\">Is Shorter Validity a Good Thing?<\/h2>\n\n\n\n<p>We knew it was only a matter of time before this type of initiative would occur. Last year, we wrote on how <a href=\"https:\/\/www.thesslstore.com\/blog\/one-year-certificate-validity-is-about-to-be-on-the-ballot-again\/\">one-year certificate validity<\/a> was back on the ballot of the CA\/B Forum. The idea here is that the shorter an SSL\/TLS leaf certificate\u2019s validity period, the more secure the certificate is. <\/p>\n\n\n\n<p>That\u2019s the argument that\u2019s been made for several years for\nwhy browsers wanted to cap the maximum validity for SSL\/TLS certificates to 1\nyear. The theory is that by requiring SSL\/TLS certificates to be renewed after\na shorter period: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>When any security updates to certificates are\nmade, they roll out into the wild more quickly.<\/li><li>It also theoretically makes websites more secure\nby ensuring that new keys are being generated regularly. <\/li><\/ul>\n\n\n\n<p>SSL\/TLS leaf certificates used to have a maximum validity of five years (for domain and organization validated certificates). However, a compromise was ultimately struck that led to certificate validity being reduced to a maximum of three years, and then later, it was capped at two years for all SSL\/TLS leaf certs.<\/p>\n\n\n\n<p>Last year, Google\u2019s Ryan Sleevi <a href=\"https:\/\/www.thesslstore.com\/blog\/ssl-certificates-one-year-max-validity-ballot-fails-at-the-ca-b-forum\/\">introduced a ballot at the CA\/B Forum<\/a> that pushed for a maximum one-year validity for SSL\/TLS certificates. The initiative ultimately failed, but it looks like Apple has picked up where Google left off in the fight for shorter validity. <\/p>\n\n\n\n<p>Today, Tim Callan at Sectigo posted the following on his\nLinkedIn page: <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"550\" height=\"335\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/secitgo-certificate-validity-post.png\" alt=\"\" class=\"wp-image-12094 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/secitgo-certificate-validity-post.png 550w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/secitgo-certificate-validity-post-300x183.png 300w\" sizes=\"auto, (max-width: 550px) 100vw, 550px\" \/><\/figure><\/div>\n\n\n\n<p>Honestly, we knew it was only a matter of time before this move\nwould be made. We just figured it would have been Google or Mozilla making the\nfirst move. But, regardless of who made the first move, there are a few things\nyou should know.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Does This Mean for Your Website and Customers?<\/h2>\n\n\n\n<p>Safari is one of the internet\u2019s two leading web browsers. <a href=\"https:\/\/www.w3counter.com\/globalstats.php\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">W3Counter<\/a> lists Safari\u2019s browser market share at 17.7% as of January 2020. This falls behind only Google Chrome (58.2%) and ahead of Microsoft Internet Explorer and Edge (7.1%). So, as you can imagine, you want to ensure that your website \u2014 and your customers\u2019 websites \u2014 are trusted by Safari. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"847\" height=\"290\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/w3counter-browser-market-share.png\" alt=\"\" class=\"wp-image-12095 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/w3counter-browser-market-share.png 847w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/w3counter-browser-market-share-300x103.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/w3counter-browser-market-share-768x263.png 768w\" sizes=\"auto, (max-width: 847px) 100vw, 847px\" \/><figcaption>Image courtesy of W3Counter:  https:\/\/www.w3counter.com\/globalstats.php. <\/figcaption><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">What\nSite Admins Need to Know<\/h3>\n\n\n\n<p>Essentially, any SSL\/TLS certificates issued\nprior to Sept. 1, 2020 are not affected by this change. They\u2019ll remain valid\n(barring any unrelated certificate revocations) for the entire two-year period\nand won\u2019t need to be modified or replaced. However, any certificates that are\nissued on or after Sept. 1 will need to be renewed every year to remain trusted\nby Safari. <\/p>\n\n\n\n<p>What this means is that you\u2019ll want to\nstreamline and improve your existing certificate management practices. For\nlarger organizations, in part, this entails using a reliable certificate\nmanagement solution and no longer relying on manual cert management. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What\nCertificate Resellers Need to Know<\/h3>\n\n\n\n<p>In a nutshell, you can continue issuing\ntwo-year certificates until Aug. 31, 2020 that your customers can use until\nthey expire. Any certificates that you issue after that date, however, would\nneed to be issued with one-year validity to remain valid as far as Safari is\nconcerned. <\/p>\n\n\n\n<p>This means that any two-year\ncertificates that you sell will need to be re-issued after one year in order to\ncontinue being trusted by the browser.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">A\nNew Option: Multi-Year Subscription SSL<\/h3>\n\n\n\n<p>Luckily for you, the leading CAs saw\nthe writing on the wall. They decided to create new certificate lifecycle\nautomation options and subscription plans that would make certificate\nmanagement easier for shorter certificate lifecycles. <\/p>\n\n\n\n<p>Some CAs announced a new option for\npurchasing\/implementing SSL. Sectigo rolled out their SSL subscription plan\nmonths ago and DigiCert will roll out their multi-year plans before September.\nWith these multi-year subscription-based SSL services, webmasters can purchase\ncoverage for longer periods and reissue their certificate as often as they need\nwith the maximum allowed validity period. <\/p>\n\n\n\n<p>There are a few benefits to this\noption: <\/p>\n\n\n\n<ol class=\"wp-block-list\"><li><strong>Cost:<\/strong> It allows customers to continue receiving a multi-year pricing discount, which saves money, and<\/li><li><strong>Time:<\/strong> Customers only have to purchase the subscription once and not worry about it again for five years (especially useful if you need to get purchases approved by your accounting department).<\/li><\/ol>\n\n\n\n<p>So, basically, customers can purchase\nSSL coverage for an extended time period (for example, 5 years) and then just\nre-issue their certificate each year to update it \u2014while saving money and time.\nThat sounds like a win-win for everyone. <\/p>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s Next<\/h2>\n\n\n\n<p>It was only a matter of time before we\u2019d see this type of\npush for one year certificate validity by one of the browsers. Once one browser\nmakes the move, it means that all of the CAs will change their certificates\nfrom two years to one year regardless of what the other browsers do. <\/p>\n\n\n\n<p>We\u2019re not worried and you shouldn\u2019t be, either. This move by\nApple won\u2019t leave you stranded as a customer or reseller because the CAs have\nalready put solutions in place that will help. With SSL subscription plans and certificate\nmanagement solutions available, it\u2019ll be a pretty straightforward transition that,\nhopefully, will have the intended effect \u2014 greater website security and\nimproved certificate management. <\/p>\n\n\n\n<p><em>As always, leave any comments or questions below\u2026<\/em> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Starting Sept. 1, Safari will no longer trust SSL\/TLS certificates with validity periods longer than 398 days Starting Sept. 1, Apple&#8217;s Safari browser will no longer trust SSL\/TLS leaf certificates&#8230;<\/p>\n","protected":false},"author":17,"featured_media":12096,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130,17,10200],"tags":[171,583,203],"class_list":["post-12093","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","category-industry-lowdown","category-monthly-digest","tag-browsers","tag-certificate-validity","tag-safari","post-with-tags"],"views":98295,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/02\/apple-logo.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12093","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=12093"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12093\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/12096"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=12093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=12093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=12093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}