Security News > 2020 > June > Google joins Apple in limiting web certificates to one year

Google joins Apple in limiting web certificates to one year
2020-06-30 16:53

Google, it seems, is joining Apple in limiting the maximum validity of web security certificates - those digitally signed blobs of data that put the S in TLS and the padlock in your address bar - to just one year.

Others ask why a year is seen as "Too long" given that certificate authorities such as Let's Enrcypt are already issuing certificates that are only valid for three months at a time, thanks to a smoothly automated process for renewal.

If millions, or even hundreds of millions, of boutique websites using Let's Encrypt's free certificates can manage three-monthly renewals with ease, how can one year be considered too short for certificates from more mainstream, traditional certificate authorities?

For what it's worth, these new limits in Apple's and Google's browsers don't apply to certificates you've authorised yourself with signing certificates of your own, so you can set any sort of expiry limits you like in your own ecosystem.

For the rest of us: any web certificate issued after September 2020 that you hoped would last for two years will be rejected by both Apple's and Google's browsers with the error CERT ­VALIDITY­ TOO LONG. You can fight it - or you can go with the flow and adapt your certificate renewal workflow to acquire and use one-year certificates.


News URL

https://nakedsecurity.sophos.com/2020/06/30/google-joins-apple-in-limiting-web-certificates-to-one-year/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 256 4320 4678 741 9995
Apple 72 238 1567 2279 265 4349