Webinar: PKI Insights - The Most Common Misconfigurations in Today's PKI
Schedule a Demo
Blog June 17, 2020 2020, Apple iOS, Browsers, CA/Browser Forum, Certificate Templates, Certificate Validation, PKI, Standards, Watch Out

Changes to SSL/TLS Certificate Validity Periods – September 2020

by Mark B Cooper

It was recently announced that Google Chrome will be joining Apple Safari in implementing a change to publicly trusted SSL/TLS certificates. This change, however, will impact organizations operating their own internal PKI as well.

Person sitting at a laptop while viewing the PKI Spotlight Dashboard.

Expand Your PKI Visibility

Discover why seeing is securing with revolutionary PKI monitoring and alerting.

Learn More About PKI Spotlight®

While the change was initially submitted to the official CA/Browser Forum, the vote failed last year. However, both Apple and Google have unilaterally announced that as of September 1, 2020, their browsers will only trust SSL/TLS certificates valid for 398 days or less (consider this 1 year, with a 10% fudge factor).

Since Google and Apple represent the large majority of browsers in use (over 80%), their adoption of this change makes it a near industry standard regardless of the CA/B Forum and other browser behaviors.

This is similar to the impact on internal PKIs we saw as the industry moved from SHA1 to SHA256 as well as the change in 2018 as the industry moved from 3-year certificates to 2-year certificate maximums.

Any existing SSL/TLS certificates you have will remain valid as long as they were issued PRIOR to September 1, 2020. Any certificates issued on that date or later, must have a validity period no longer than 398 days. This will not impact certificates used for other purposes since browsers wouldn’t be involved – such as Domain Controller certificates, RDP, Client Authentication certs for WiFi/VPN, etc…

So at this point, you should be aware of the need to change your SSL/TLS certificate templates on or before September 1, 2020, to reflect this new shortened validity period.

We do recognize the impact this will have for many internal organizations as most SSL/TLS certificates are manually enrolled and renewed. This shortening from 2 years to 1 year will double that enrollment effort. If you aren’t already using or reviewing a Certificate Management solution, now might be a good time to do that. We would be happy to discuss the options with you further as well of course!

Related Resources

  • Blog Graphic with a gold background with the Globee Awards Gold Winner logo for Public Key Infrastructure PKI Cybersecurity.
    May 10, 2024

    Globee Awards Gold Winner in PKI Cybersecurity!

    PKI, PKI Spotlight
  • Blog a shield with a lock on it representing pki and certificates with several other locks and cybersecurity components in the background
    May 1, 2024

    Strengthening Security with Centralized MFA Integration

    MFA, PKI, PKI Spotlight
  • Blog
    April 29, 2024

    PKI Insights Recap – PKI Posture Management for Digital Certificates

    Digital Certificates, PKI, PKI Insights

Mark B Cooper

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.

View All Posts by Mark B Cooper


Leave a Reply

Your email address will not be published. Required fields are marked *