Beginning September 1st, 2020, the new maximum SSL/TLS certificate validity will be 398 days or roughly 13 months. Apple and Google announced changes to their root programs earlier this year, sparking the change. (More on root programs in a minute.)
The key points to take away from this change are:
- Two-year certificates issued before September 1st, 2020, will continue to be valid until their expiration dates. Renewals will only be available for the new maximum certificate validity period (13 months/398 days).
- Renewing, reissuing, or reprocessing a two-year certificate after September 1st, 2020, will result in a 398-day renewal. Remember that many certificate changes require a reissue. That includes adding or removing a domain from a certificate, changing organization information, replacing private key/public key pair.
- In the past 31 months, certificate validity periods have gone from three to two to now (slightly over) one year. If the major root programs have their way, that trend will continue. We can expect renewal periods to become increasingly shorter. If you manage several SSL/TLS certificates, you should begin moving toward renewal automation. That will help prevent certificate expiration.
Why the Change Is Being Made
The move to shorter lives for SSL and TLS certs has been going on for some time. Before 2015, five-year certificates could be issued. As I mentioned, in the past 31 months alone, the maximum period has shrunk by two-thirds.
But why is it happening?
First, shorter lifespans mean it takes less time to implement updates or changes to the system. The less time needed to react to issues, the fewer security risks we all face.
The other consideration is identity. After all, that’s the purpose of an SSL/TLS certificate—to verify the identity of the site/site owner. So the question becomes, how long should we trust the information used to validate an identity?
The more time that passes between validations, the greater the risk.
What Are SSL/TLS Root Programs?
When we talk about “root,” we’re talking about the root certificates in a certificate chain.
Certificate Authorities (CA) and web browsers have to work together. Browsers need certificates to make website trust determinations and to help to make secure connections. And the CA needs the browsers to trust their public certificates.
Root programs (which are run by the web browser companies) make sure that the relationship runs smoothly.
The major root programs are run by Microsoft, Apple, Mozilla, and Google. If a CA wants its certificates to be trusted by the root programs, they must follow program guidelines.
Apple started the recent change by announcing that on September 1st, 2020, they would stop trusting (new) certificates issued for longer than 398 days.
Because the root programs and CAs have to work together, when one root program changes its standards, the rest follow. So Apple basically forced the shortening of certificate lifespans. But any root program can force a change.
For example, Google was the driving force behind the SHA-1 to SHA-2 change.
So when a root program decides something needs to change, it changes across all web browsers and certificate authorities.
Why a Shorter SSL/TLS Certificate Life Is a Good Thing
As certificate lifecycles grow shorter, managing renewal dates can become inconvenient. But one-year certificate lives (or even shorter lives) are beneficial to our security.
Certificates used to use the SHA-1 algorithm to generate certificate keys. As that algorithm aged and became increasingly insecure, browser companies (most notably Google Chrome) wanted to stop trusting SHA-1. But removing SHA-1 support meant many multi-year certificates would no longer be trusted. Consequently, it took three years to completely make the change to SHA-2.
A shorter certificate life means critical security changes can be made more quickly. And those certificate keys are also more secure the more frequently they’re changed. Issuing a new certificate more frequently means more frequent key changes.
If You’re a GreenGeeks Customer
GreenGeeks issues GlobalSign one-year certificates, so your website won’t be affected by this change. Let’s Encrypt certificates have always been renewed every 90 days, so they are also unaffected. If you have any questions about SSL/TLS certificates or anything else, contact us! We’re always available to answer your questions.