A decision that Apple unilaterally took in February 2020 has reverberated across the browser landscape and has effectively strong-armed the Certificate Authority industry into bitterly accepting a new default lifespan of 398 days for TLS certificates.
Google has opted in to join Apple as well according to The SSL Store:
It’s no secret, Google has been championing shorter certificate validity within the CA/Browser Forum (CA/B Forum) for years. At the end of last week, a well-known voice within the forum posted on Twitter that the tech giant will be making the switch to a one year validity period of 398 days for SSL/TLS certificates starting Sept. 1. This might sound like a big move, but it doesn’t actually change anything because it was already happening.
Mozilla will be jumping on the bandwagon on August 31st according to a Git Hub post.
What will this mean? Well, for one, if you host a website that has a two year SSL certificate, all major browser are going to start displaying an error warning users that your certificate is valid for too long.
I actually agree, this will probably make things more secure. The more frequently you swap your encryption keys, the better the security. I'm already doing it with LetsEncrypt on my personal email server because LetsEncrypt makes you renew every 3 months! LetsEncrypt makes renewal easy at least with the help of automation scripts.
Swapping out certificates every year in other places can be a pain if you are using other 3rd party CA's, and manually renew your certificates. It's even more of a pain when you have clients that use Java applications and manually trust their 3rd party keys for additional stringent security. That means we have to swap our keys out probably every 200 days now at my day job so we can send the keys to clients ahead of time for testing and validation...
Basically an SSL Certificate Maintenance Shitstorm!
Do you manage SSL certificates in your environment? How are you handling it? Let us know in the comments!