Mozilla has officially announced that as of September 1, 2020, it will no longer consider valid any newly issued certificate with a shelf life of more than 398 days or just over a year.
Browser developers and certificate security experts have been trying for some time to reduce the lifespan of a TLS certificate from 2 years (825 days) to 1 year (392 days), but have failed to force certificate issuers to agree to the proposal.
When a proposed change is issued, members of the CA / Browser Forum (CA / B) vote on it. This forum consists of certificate issuers and certificate consumers, such as browser developers, and was created to act as the governing body for issuing and managing digital certificates.
The recent vote on a proposal to reduce the lifespan of the certificate again to one year failed after the issuers of the certificate voted against it.
As reported by ZDNet, instead of satisfying the vote and allowing a two-year certificate lifetime, Apple has unilaterally decided to bypass CA / B and no longer considers certificates issued with a two-year lifespan valid after September 1, 2020.
Shortly thereafter, both Mozilla and Google released bug reports or issues stating that they too would no longer support a two-year lifespan after September 1, 2020.
Since then, certificate issuers have reluctantly agreed to follow these new guidelines, expressing their frustration at this forced change.
Mozilla has officially announced this change with an explanation as to why it is being done.
Mozilla and other browser developers say these changes are important to ensure better security:
- Allows greater agility when phasing out certificates when vulnerabilities are detected in encryption algorithms
- Limits the site’s exposure to trade-offs because private encryption keys would change regularly. If a private TLS certificate is stolen, a one-year validity would limit the time the threat actor could use.
- Prevents hosting providers or third parties from using the certificate for a long time after the domain is no longer used or the service provider has changed.
What does this mean for website owners?
This change only affects new certificates issued on or after September 1, 2020.
If you have an existing certificate with a lifespan of two years, then this change will not affect that certificate and you can continue to use it until it expires.
This means that when the certificate expires, all certificates issued after September 1, 2020, will only be valid for one year.
This change will increase administrative costs as website administrators will have to pay more attention to renewal dates as their certificates will expire more often.
For companies that serve multiple websites, this could be a logistical nightmare until automated procedures are introduced to take this change into account.