Home New Default Lifespan For TLS Certificates
« Home »
Aug 17th, 2020 Comments Off on New Default Lifespan For TLS Certificates

New Default Lifespan For TLS Certificates

Tags
Plurk
Share this

Last March 2018, browser makers attempted to reduce the lifespan of SSL certificates from 3 years to 1 year but did not succeed. A compromise was reached for 2 years after an aggressive pushback from Certificate Authorities (CAs). Barely a year later, browser makers tried again to the dismay of CAs because they believed that a compromise had been reached.

Apple’s decision that took effect last February 2020 has effectively forced the CA industry to accept the new default lifespan of 398 days for TLS certificates. After Apple’s announcement, Mozilla and Google seemed to have similar intentions of implementing the same rules on their browsers. Starting September 1, 2020, Apple, Google and Mozilla devices and browsers will display errors for new TLS certificates with lifespans that are longer than 398 days.

The move is important because it changes the core part of how the internet works as well as TLS certificates. The move breaks away from the standard practice between browsers and CA’s. Browsers and CA groups usually enter into discussions regarding upcoming rules before making a decision. Rules are passed which must be implemented by members.

The fact is the lifespan of TLS certificates used to be 8 years but browser makers managed to bring it down to five, then three and then two. However, Apple broke down the standard practice when it decided to implement the 398-day lifespan.

To outsiders, this might seem like a bit of technical drama or a play for power but the real reason is bad TLS certificates get cycled out faster. Browser makers have argued that if the TLS lifespan is reduced, the certificate will become invalid faster. Browser makers hope that by securing traffic through shorter-lasting certificates, it would be more resource-incentive for attackers. However, shorter lifespans create more work for IT teams.

These changes have to be monitored through TrackSSL.com so that the IT team will be immediately alerted. The SSL certificate expiry date monitor will provide email notification of a pending certificate expiration. The SSL certificate monitoring tool will continuously monitor the validity of all SSL certificates on the website to avoid any damages to the brand’s reputation.

Share Button

Comments are closed.