From September 2020 the security certificates used to enable HTTPS communications can only be valid for a maximum of 13 months, says Apple.
Since the Apple Safari browser enjoys a 17% market share, this restriction will likely force the whole industry to adopt the same limit in certificate lifespan.
The Certificate Authority Browser Forum (CAB Forum) had discussed a plan proposed by Google to reduce the current maximum TLS certificate life from 3 years down to 1 back in 2019, however the forum was unable to reach agreement on the proposal. Apple’s unilateral move announced at the recent CAB Forum meeting will now force the issue with effect from September 2020. This means that any TLS certificate issued after 30th August 2020 will only be considered valid if its expiry date is 398 days or less after issue (that’s 13 months).
The reason why Google first suggested this change back in 2019, and Apple has now forced the issue – is that reducing the maximum duration of certificates improves the security of the whole ecosystem. This is especially important as many consider the process for certificate revocation to be broken.
The impact on many IT teams will be to double or triple the work required to manage security certificates and ensure they are updated in good time. This might sound straightforward but, as Microsoft demonstrated earlier this month, it’s very easy to forget to renew a certificate and bring down vital services, such as Microsoft Teams.
While Apple has not made a public announcement yet, DigiCert has published an article which provides useful context.