TLS Certificates Now Have 398 Day Lifespans

As of September, all publicly trusted TLS certificates must have a lifespan of 398 days or fewer.

According to a statement from Apple from March, where it announced it was “reducing the maximum allowed lifetimes of TLS server certificates” as part of its ongoing efforts to improve web security.

The Apple statement claimed TLS server certificates issued on or after September 1, 2020 “must not have a validity period greater than 398 days.” Specifically, this change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS.

Also, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change. “Connections to TLS servers violating these new requirements will fail,” the statement said. “This might cause network and app failures and prevent websites from loading.”

Apple recommended certificates be issued with a maximum validity of 397 days, and this change will not affect certificates issued from user-added or administrator-added Root CAs.

According to Venafi, the interval between changes in the length of certificate lifespans has been shrinking over the last decade. It found that before 2011, certificate lifespans were 8–10 years (96 months) and their lifespans were gradually reduced over the past decade, to five years and then to three years in 2015 and ultimately to 13 months, a reduction of 51% in 2020.

“Apple’s unilateral move to reduce machine identity lifespans will profoundly impact businesses and governments globally,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“The interval between certificate lifecycle changes is shrinking, while at the same time, certificates lifecycles themselves are being reduced. In addition, the number of machines—including IoT and smart devices, virtual machines, AI algorithms and containers—that require machine identities is skyrocketing.”

He went on to claim that if the interval between lifecycle changes continues on its current cadence, it’s likely that we could see certificate lifespans for all publicly trusted TLS certificates reduced to six months by early 2021, and perhaps become as short as three months by the end of next year.

“Actions by Apple, Google or Mozilla could accomplish this,” he said. “Ultimately, the only way for organizations to eliminate this external, outside risk is total visibility, comprehensive intelligence and complete automation for TLS machine identities.”

What’s Hot on Infosecurity Magazine?