Browser certificate lifespan shortened to one year by manufacturers
From September, HTTPS certificates may only be issued for a maximum of one year.
The maximum validity of certificates for proof of identity on the web will be further reduced – in the next step to one year. In September, a vote in the CA / Browser Forum failed because of the resistance of the certification bodies. But in March, Apple dashed ahead and said that Safari will only accept certificates issued after September 1, 2020 if they are not valid for more than 1 year.
Now Mozilla and Google are also following suit, creating facts. In the past, terms of 5 years were not uncommon. At the moment, certificates can still be issued for 2 years (more precisely: 825 days – plus a little maternity leave). With the renewed tightening, Chrome delivers an ERR_CERT_VALIDITY_TOO_LONG if a certificate was issued after September 1, 2020 and is valid for more than 398 days.
The main reason for the steady shortening of the certificate lifespan is the fact that there is no generally functioning revocation mechanism that can be used to revoke a certificate. CRLs and the Online Certificate Status Protocol (OCSP) have proven to be unsuitable and are now switched off by default.
The browser manufacturers still maintain their own internal blacklists, which they can use to react to acute incidents. But this is a quasi manual process that can only cover significant problem cases. Ultimately, the browser manufacturers are now focusing on damage limitation: If, for example, the secret key of a certificate is stolen, an expiry date that is approaching as soon as possible should eliminate the problem.
No Need For Action For Users
Lets Encrypt, which now dominates the market, is the pioneer and only issues the certificates for 3 months anyway. The extension is then automated via ACME. According to Mozilla, however, the other certification bodies have also agreed to only issue certificates for 398 days from September 1. In view of the demonstration of power by the browser manufacturers, there is probably not much else they can do.
As a website operator, you don’t have to do anything – even if you still have a certificate with a longer validity. The new rule only applies to certificates issued after September 1, 2020.