A friendly reminder just to make sure you are ready for the new lifetime on TLS digital certificates of a maximum of 398 days starting september this year.
What does it mean?
- Every certificate issued by a public CA on or after September 1st, 2020, must have a maximum lifetime of 398 days to be trusted by web browsers.
- The number of days will be taken from two attributes already present on all certificates: notBefore and notAfter.
- All major browsers are preparing and releasing their new versions to support this change.
What are the benefits ?
- The first benefit is in fact an increase on the security for web resources served under HTTPS decreasing the number of active days a cryptographic private key will have.
- A second benefit is the one regarding crypto agility. A new fancy way to describe how prepared you are to change cryptographic algorithms, schemes or protocols when there is a major vulnerability which forces to deprecate rapidly any of them.
What impact could I have ?
- If you already have valid Digital Certificates with an expiration date on September after September or even next year, you will have no impact on them, everything will continue to function as normal, but starting September 1st 2020, if you request a new certificate, renew or reissue an existing certificate, the new maximum expiration date will be of 398 days beginning on the day the certificate is issued (or reissued). So you will not be able to have a valid certificate for 18 months or 2-3 years as before when the validation period starts on of after September.
- If for any reason a public CA issues a certificate with an expiration date of more than 398 days and you install it on your servers, all users or customers will receive an error saying the website is not secure and there is an error trying to access the website. Similar to when you are trying to access a website with a self-signed certificate installed or with a different common name in it.
A few official links:
- Apple announcement: https://support.apple.com/en-us/HT211025
- Mozilla announcement: https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/
- Google announcement: https://chromium.googlesource.com/chromium/src/+/master/net/docs/certificate_lifetimes.md
- Digicert: https://www.digicert.com/1-year-public-trust-ssl-certificates/
- Entrust Datacard: https://www.entrustdatacard.com/blog/2020/february/apple-announces-398-day-maximum-certificate-lifetime