By now you’ve likely heard about Apple’s announcement at the February 2020 Certificate Authority/Browser Forum meeting that they will no longer accept publicly trusted TLS webserver certificates valid for longer than 398 days after Sept. 1, 2020 in the Mac OS and iOS platforms. The CA/B Forum had previously voted down an initiative to reduce public TLS certificate lifetimes from two years to one year. Yet Apple decided to unilaterally take this reduction path. Other browsers are discussing a similar implementation. This affects every CA and website owner.
Website owners need to prepare
CAs will have to ensure they only issue one-year certificates after Sept. 1. This is because Apple will treat any certificates issued from roots in their platform valid for more than 398 days as a “policy violation,” meaning CAs could face disciplinary action from Apple. Such action could be as minor as a warning or as significant as CA distrust. CAs use root certificates common to all browsers to issue TLS certificates. If they didn’t, users would experience errors when accessing websites from different browsers.
Website owners that currently use two-year website certificates will only be able to obtain one-year certificates as of Sept. 1. Any certificates that are currently valid for two years and issued before Sept. 1 will remain valid.
Private TLS and all other certificate types not affected
This change does not affect private TLS certificates (such as certificates issued from custom roots), code signing, email certificates or any other type of non-TLS certificates. So if you use or issue these types of certificates, you can continue to do so up to the validity period defined by the platform.
DigiCert automation: the best way to handle reduced certificate validity periods
While shortened validity periods could burden customers that manage many sites, DigiCert is ready to help. We have tools for tracking certificate expiration dates, customizing renewal notifications and automating certificate renewals. DigiCert CertCentral® enables you to automate the entire certificate management process with Automation, REST API and ACME integration. We also have an advanced reporting API, GraphQL, to provide you with the information needed to stay on top of your TLS certificate needs and make informed decisions.
To avoid the rush, we suggest ordering any necessary two-year certificates at least one month before the deadline. This will ensure that your order can be validated and processed in time. Follow our blog for future updates on preparing for the Sept. 1 deadline as we focus on helping our customers with the transition.