At the 49th meeting of the CA/Browser Forum held in February 2020, Apple announced that they are changing their root embedding policy to require TLS/SSL certificates have a maximum validity period of 398-days. The 398-day period has previously been discussed by the CA/Browser Forum – it reduces the validity period to about one year plus one month to support TLS/SSL certificates before they expire and require renewal.

According to the announcement, the new policy will become effective September 1, 2020, and will require that all new certificates issued as of that date may not exceed 398-days. If a certificate is issued for greater than the restriction, it will not be trusted by Safari browsers. In addition, the root CA certificate may also be distrusted by macOS and iOS, which could provide a greater impact.

Why Shorter Certificate Lifecycle?

The idea to reduce certificate lifetimes was first considered by the CA/B Forum in September 2019, but was suspended after Ballot SC22 failed.

Browser companies voted unanimously in favor of Ballot SC22, arguing that in summary it strengthened Internet security and would add more pressure to apply certificate management automation. The majority of certification authorities (CAs) voted against it to support the 82% of the 3,850 organizations they surveyed who opposed the ballot. The website owners who opposed this ballot expressed concerns about lack of cost versus benefit analysis, security concerns brought by automated certificates replacements, and automation difficulties in certain environments. Shorter certificate lifetimes would hasten the need for more automation around certificate deployment.

Overall, the goal of decreasing certificate validity period is to increase security. Having certificates that were issued based on old encryption requirements expire sooner is one way it helps to achieve this. It also enables the CAs to include more recent validation data in the certificate, and it provides certificate subscribers with increased security by having them change their key pairs more frequently.

Impact on TLS/SSL Ecosystem

TLS/SSL certificates issued before September 1, 2020 will not be impacted. The current maximum validity period of 825 days for TLS/SSL certificates can be used until that date. Note that if a certificate is reissued on September 1, 2020 or later, the validity period will be capped at 398-days.

To ensure our TLS/SSL certificate subscribers will be able to provide uninterrupted trust to their users, Entrust Datacard will restrict the validity period of TLS/SSL certificates to no more than 398-days across all certificates issued for public trust. Entrust Certificate Services (ECS) will be adjusted to meet the maximum validity period, reducing it from 825-days to 398 days. This will allow certificate customers to continue to choose their own certificate validity period or expiry date under the 398-day cap.

Enabling Compliance

Customers will be able to maintain compliance using our robust discovery, automation, renewal alerts, and reporting tools available through ECS. Entrust Datacard's follow-the-sun support team will be on hand to offer expertise and ensure a smooth transition throughout the process.

Please note that Apple has still not published their new policy requirement. We will share updates if there are any changes or interpretations of the policy.

Related Resources
CA/B Forum Ballot SC22
Entrust Datacard customer survey
DigiCert customer surveys, basic results and related customer comments
GoDaddy customer survey

Bruce Morton

Bruce Morton is a pioneering figure in the PKI and digital certificate industry. He currently serves as Director for Certificate Services at Entrust Datacard, where he has been employed since 1999. His day-to-day responsibilities include managing standards implementations, overseeing Entrust Datacard’s policy authority, and monitoring Entrust Certificate Service for industry compliance.