Google Chrome limits the validity of SSL Certificates to one year

Google has been promoting shorter certificate validity within the CA / Browser Forum for years. Although its efforts to boost the maximum validity of one year within that area, which is the one that sets the industry standards, have failed due to the contrary vote of the majority of its members, Google finally unilaterally decided to move forward with this restriction , adding to the decision already adopted by Apple months ago, also untimely.

On June 11, Dean Coclin, president emeritus of the CA / Browser Forum, broke the news on Twitter that Google will follow Apple’s stance on limiting public SSL / TLS certificates beginning September 1.

So what does this really mean to you as a website owner or administrator?

For most people, the restriction Google will impose doesn’t really change anything. Google’s announcement is more formal than anything else because when we broke the news in February about Apple’s announcement to set the one-year limitation on certificates, we assumed that other browsers were going to follow similar behavior.

This announcement by Apple last February forced the recognized Certifying Authorities to make the decision not to issue any more certificates with validity terms exceeding 398 days, starting next September 1, and thus prevent Internet users from having problems when browsing. This decision of the Chrome browser does not generate anything different from what has already been adopted.

The underlying idea in requiring certificates to have a maximum duration of one year is that a shorter useful life and, therefore, a more frequent issuance, increases security levels.

How one-year validity affects site administrators

Going from two years of certificate validity to one year means that the life cycle is essentially halved. This means that you will have to be more vigilant than ever before the expiration date and security must be prioritized more than ever.

If you are the administrator of the site or its owner, this change means that you will have a little more work in terms of managing your certificates. The positive side is that it will have greater security, generated by:

• Your certificate keys will be rotated more frequently.
• Your certificates will have more updated information.
• You don’t have to worry as much about changes in technology. For example, that the algorithms used become obsolete in the middle of the cycle and you do not find out, which would make your certificates no longer valid.

This also serves as an important reminder for site administrators: If you want to continue to take advantage of certificates that are valid for two years, you must purchase your certificates now so that, with the exception of any revocation, Safari and Chrome will trust them for the next two years. If you choose to wait to buy your certificates until September 1 or later, you can only request the issuance of certificates valid for one year.

Google’s latest announcement, while sounding important, is just one more step toward the inevitability of one-year validity for SSL / TLS certificates. As of September 1, 2020, public SSL / TLS certificates will only be issued with a validity period of one year, despite the fact that this was not the consensus among the members of the CA / Browser Forum.