Security News > 2020 > June > Google joins Apple in limiting web certificates to one year
Google, it seems, is joining Apple in limiting the maximum validity of web security certificates - those digitally signed blobs of data that put the S in TLS and the padlock in your address bar - to just one year.
Others ask why a year is seen as "Too long" given that certificate authorities such as Let's Enrcypt are already issuing certificates that are only valid for three months at a time, thanks to a smoothly automated process for renewal.
If millions, or even hundreds of millions, of boutique websites using Let's Encrypt's free certificates can manage three-monthly renewals with ease, how can one year be considered too short for certificates from more mainstream, traditional certificate authorities?
For what it's worth, these new limits in Apple's and Google's browsers don't apply to certificates you've authorised yourself with signing certificates of your own, so you can set any sort of expiry limits you like in your own ecosystem.
For the rest of us: any web certificate issued after September 2020 that you hoped would last for two years will be rejected by both Apple's and Google's browsers with the error CERT VALIDITY TOO LONG. You can fight it - or you can go with the flow and adapt your certificate renewal workflow to acquire and use one-year certificates.
News URL
Related news
- How Google’s 90-day TLS certificate validity proposal will affect enterprises (source)
- Apple and Google Launch Cross-Platform Feature to Detect Unwanted Bluetooth Tracking Devices (source)
- Google, Apple gear to raise tracking tag stalker alarm (source)
- Apple and Google add alerts for unknown Bluetooth trackers to iOS, Android (source)