JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


20200302 - Limitation of SSL certificates lifetime on Safari

During a CA/B Forum meeting that took place last February Apple announced the reduction of SSL certificates lifetime accepted by its browser Safari.

Several ballots aiming to reduce certificates lifetime have been put to vote on the request of browsers editors but have been rejected each time during the past few years. Apple takes a unilateral decision for its browser.

It comes as no surprise though. The standard is constantly evolving and SSL certificates lifetime has been gradually reduced. It was only a matter of time before such a decision was made.

Note that 2 years valid certificates are not (yet) condemned. The just won't be recognized by Safari anymore.

Why?

A shorter lifetime forces Certification Authorities to run vetting processes more regularly and so limits risks of inadequacy between certificate and organization. It is also a way to speed up and easy migrations due to technological evolution (transition from SHA1 to SHA2 for example).

When?

The deadline will be on September 1st 2020.

What impact for existing certificates?

None. Safari will only reject certificates valid more than 398 days that will be issued after September 2020. To be clear; certificates valid 2 years issued before the deadline will be accepted by the browser.

How to get prepared?

No specific action will be required. But if you want to obtain 2 years valid certificates you'll have to order them in August at the latest (if you want to keep Safari compatibility).

The options to be considered

Renew a certificate each year implies a multiplication of technical (CSR generation, installation, DCV) and administrative (vetting process) steps. The workload can be heavily affected. Authorities are then launching new offers to lighten the procedures linked to a SSL certificate purchase.

Subscriptions

Sectigo proposes SSL subscriptions via its brand PositiveSSL:

Recently launched, they allow the purchase of 3, 4 or even 5 years valid SSL certificates.

Those certificates are issued for the maximal lifetime allowed by the standard and must be reissued to obtain a new validity period.

Automatic renewals

You can now activate the automatic renewal for all or some of your SSL server certificates via your Certificate Center.

Once done, your renewal requests are deposited automatically. The remaining part of the process does not change: vetting, DCV, installation...

Useful links