Browser makers limit TLS certificate lifespan to 398 days

Posted on Monday, June 29 2020 @ 10:23 CEST by Thomas De Maesschalck
Starting on September 1, 2020, browsers from Apple, Google, and Mozilla will no longer accept SSL/TLS certificates older than 398 days. This new default lifespan for HTTPS certificates was unilaterally decided by Apple in February 2020 and is now seeing broader adoption, against the wishes of the Certificate Authority industry. Over the years, browser makers have continued to chip away at the lifespan of TLS certificates to improve security.

The main concern here is that with long TLS lifespans, certificates that have been abused remain in circulation for too long. Revoking bad certificates is a complicated and slow process so browser makers prefer shorter lifespans. Certificate authorities are against shorter certificate lifespans because they believe it makes no difference and because it increases administrative costs.
However, across its 15-year history, there's been one topic that has always ruffled the feathers every time it has been brought up -- and that's the lifespan of TLS certificates.

TLS lifespans started at eight years, and through the years, browser makers have chipped away at it, bringing it down to five, then to three, and then to two.

The previous change occurred in March 2018, when browser makers tried to reduce SSL certificate lifespans from three years to one but compromised for two years after an aggressive pushback from CAs.
More details at ZD Net.

Loading Comments