22 May, 2020

Apple Safari Browser limits the validity of ssl Certificates to one year

Safari will not trust SSL / TLS certificates with validity periods greater than 398 days, issued from September 1.

As of September 1, Apple’s Safari browser will no longer trust site SSL / TLS certificates that are valid for more than 398 days. (This is the equivalent of a one-year certificate plus the renewal grace period.) Other types of SSL / TLS certificates, including intermediates and roots, will not be affected.

SSL / TLS certificates issued before September 1, 2020 are not affected by this change. They will remain valid (unless revoked by any other circumstance) throughout the two-year period and will not need to be modified or replaced. All certificates issued after September 1 must be renewed every year so that Safari continues to trust them.

Apple announced its unilateral decision at a meeting of the CA / Browser Forum (CA / B Forum) on February 19, which is the industry standards group that is primarily made up of certification authorities and major browsers.

The theory is that requiring SSL / TLS certificates to be renewed more often also applies security updates that have been made to certificates more quickly. It also theoretically makes websites more secure by ensuring that new keys are generated regularly.

Site SSL / TLS certificates used to have a maximum validity of five years (for domain and organization validated certificates). However, a compromise was eventually reached which led to the validity of the certificate being reduced to a maximum of three years and then limited to two years.

Last year, Google’s representative to the CA / Browser Forum filed a motion to limit the validity of certificates to one year, a motion that was rejected. Notwithstanding this, Apple that is part of the CA / Browser Forum unilaterally decided to apply that rule. Safari is one of the main Internet web browsers, as shown in the graphic below