All There Is To Know About The New Lifespan of SSL Certificates
Starting Wednesday, August 19, 2020, Major Certificate Authorities will no longer be able to offer two-year public TLS certificates due to an industry-wide requirement set by Apple and Google, stating that any two-year TLS certificate issued after August 30, 2020, will be distrusted in their browsers.
Any two-year TLS certificate issued before 12:00 am UTC on August 19, 2020, will be valid for two-years (up to 825 days). Beginning August 19, 2020, as CA's will only be issuing one-year (up to 398 days) TLS certificates.
This only applies to public TLS certificates. Private-root and other types of certificates (e.g. Code Signing Certificates, S/MIME certificates, etc.) will be unaffected and will have the same maximum validity that they have today.
What Brought About The Change?
In August 2019, CA/B Forum Ballot SC22 was introduced by Google to reduce TLS certificate validity periods to one year. CAs reviewed this proposal with their customers and produced thousands of comments from users, which mostly showed opposition, due to the additional work required by IT teams to handle shorter validity periods. The ballot failed in the Forum, which meant certificate maximum lifetimes remained at two years.
At one time, certificates were offered with a maximum validity of three years. A few years ago, they were reduced to two years. Fast forward to this week’s Apple announcement, which ultimately does what ballot SC22 failed to do: reduce certificate lifetimes to one year.
Why did Apple unilaterally decide to enforce a shorter certificate lifetime? Their spokesperson said it was to “protect users.” We know from prior CA/B Forum discussions that longer certificate lifetimes proved to be challenging in replacing certificates, in the case of a major security incident. Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats. Short-lived certificates improve security because they reduce the window of exposure if a TLS certificate is compromised.
On June 11, Dean Coclin, chair emeritus of the CA/B Forum, broke the news on Twitter that Google will be following Apple’s lead in limiting public SSL/TLS certificates starting Sept. 1
How Do Certificate Authorities Feel About This Change?
Certificate Authorities are presently not happy, to say the least. In the last decade and a half, browser makers have chipped away at the lifespan of SSL certificates, cutting it down from eight years to five, then to three, and then to two.
The last change occurred in March 2018, when browser makers tried to reduce SSL certificate lifespans from three years to one but compromised for two years after pushback from certificate authorities.
What DigiCert Has To Say?
Timothy Hollebeek, DigiCert's representative "This change has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates."
The DigiCert exec explains that, instead, this change to a shorter SSL certificate lifespan would create more costs for their customers (the users/buyers of SSL certs), which now have to allocate more human resources to keeping SSL certificates up to date or performing maintenance updates when one expires.
Furthermore, Hollebeek also argues that "shorter lifetime certificates allow quicker transitions when the compliance rules change" is also not a good reason because standards should not change so often in the first place.
Sectigo (formerly Comodo CA), the biggest certificate authority on the market, has taken a more positive tone to the change, compared to DigiCert's more aggressive contrarian stance. The company took the opportunity of the potential change to highlight its tools for automating SSL certificate renewals, instead of getting into a public fight with browser makers. Sectigo understands the benefits of and supports shorter certificate lifecycles. However, they also know that the currently imposed two-year limitation has already influenced SSL resellers as well as business by causing user friction, reducing Average Sales Prices (ASPs), and negatively affecting overall revenue. This new industry standard will further affect revenue for partners.
Is Shorter Validity A Good Thing?
It was only a matter of time before this type of initiative would occur, with major browsing giants clamoring for the one-year certificate validity on the ballot of the CA/B Forum. The idea here is that the shorter an SSL/TLS leaf certificate’s validity period, the more secure the certificate is.
That is the argument that has been made for several years for why browsers wanted to cap the maximum validity for SSL/TLS certificates to 1 year. The theory is that by requiring SSL/TLS certificates to be renewed after a shorter period:
- When any security updates to certificates are made, they roll out into the wild more quickly.
- It also theoretically makes websites more secure by ensuring that new keys are being generated regularly.
SSL/TLS leaf certificates used to have a maximum validity of five years (for domain and organization validated certificates). However, a compromise was ultimately struck that led to certificate validity being reduced to a maximum of three years, and then later, it was capped at two years for all SSL/TLS leaf certs.
What Does This Mean For Your Website And Customers?
Safari is one of the internet’s two leading web browsers. W3Counter lists Safari’s browser market share at 17.7% as of January 2020. This falls behind only Google Chrome (58.2%) and ahead of Microsoft Internet Explorer and Edge (7.1%). So, as you can imagine, you want to ensure that your website — and your customers’ websites — are trusted by Safari.
Multi-Year Subscription SSL (The New Option)
The leading CAs are creating new certificate lifecycle automation options and subscription plans that would make certificate management easier for shorter certificate lifecycles.
Some CAs announced a new option for purchasing/implementing SSL. Some rolled out their SSL subscription plan months ago while others will roll out their multi-year plans before September. With these multi-year subscription-based SSL services, webmasters can purchase coverage for longer periods and reissue their certificates as often as they need with the maximum allowed validity period.
There are a few benefits to this option:
- Cost: It allows customers to continue receiving a multi-year pricing discount, which saves money, and
- Time: Customers only have to purchase the subscription once and not worry about it again for five years (especially useful if you need to get purchases approved by your accounting department).
What is The way Forward For VPCart Merchants?
For all existing customers that are already with our 2 Years Comodo SSL plan, after 19 Aug 2020, we will update their SSL billing to a 1-year plan.
Current “VP-Cart Comodo SSL Certificate 2 Year” billing which is $197.90 USD after the date above will be changed to $119 for 1 year.