Mozilla and Google have confirmed they will be aligning with Apple and their browsers will reject any web server certificate issued after 1st September which is valid for more than a year.
Apple announced the move to only support 1 year certificates back in February and now Mozilla and Google (and thus all the Chromium based offshoots including Microsoft Edge) have aligned their policies to match.
The precise details are: for any web server certificate with a ‘Not Valid Before’ date after 31st August 2020 the certificate lifetime must be 398 days or less (based on a lifetime of 1 year plus 33 days).
According to Google:
Certificates that violate this will be rejected with ERR_CERT_VALIDITY_TOO_LONG and will be treated as misissued.
The primary reason for the change is to improve the overall security of the certificate ecosystem. When SSL certificates were first available, they could be ordered from a CA with up to a 10-year validity. The maximum allowed lifetime has been gradually reducing over time – mainly due to the problems with revoking compromised or rogue certificates.
Security teams and system administrators have just two months to ensure policies and procedures are updated to ensure new certificates are appropriately valid from the start of September 2020.