Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


20200302 - Limitation of SSL certificates lifetime on Safari

During a CA/B Forum meeting that took place last February Apple announced the reduction of SSL certificates lifetime accepted by its browser Safari.

Several ballots aiming to reduce certificates lifetime have been put to vote on the request of browsers editors but have been rejected each time during the past few years. Apple takes a unilateral decision for its browser.

It comes as no surprise though. The standard is constantly evolving and SSL certificates lifetime has been gradually reduced. It was only a matter of time before such a decision was made.

Note that 2 years valid certificates are not (yet) condemned. The just won't be recognized by Safari anymore.

Why?

A shorter lifetime forces Certification Authorities to run vetting processes more regularly and so limits risks of inadequacy between certificate and organization. It is also a way to speed up and easy migrations due to technological evolution (transition from SHA1 to SHA2 for example).

When?

The deadline will be on September 1st 2020.

What impact for existing certificates?

None. Safari will only reject certificates valid more than 398 days that will be issued after September 2020. To be clear; certificates valid 2 years issued before the deadline will be accepted by the browser.

How to get prepared?

No specific action will be required. But if you want to obtain 2 years valid certificates you'll have to order them in August at the latest (if you want to keep Safari compatibility).

The options to be considered

Renew a certificate each year implies a multiplication of technical (CSR generation, installation, DCV) and administrative (vetting process) steps. The workload can be heavily affected. Authorities are then launching new offers to lighten the procedures linked to a SSL certificate purchase.

Plans

Sectigo proposes SSL plans via its brand PositiveSSL:

Recently launched, they allow the purchase of 3, 4 or even 5 years valid SSL certificates.

Those certificates are issued for the maximal lifetime allowed by the standard and must be reissued to obtain a new validity period.

Automatic renewals

You can now activate the automatic renewal for all or some of your SSL server certificates via your Certificate Center.

Once done, your renewal requests are deposited automatically. The remaining part of the process does not change: vetting, DCV, installation...

Certification authorities

As of September 1st 2020 certification authorities will cease issuing SSL server certificates valid more than 1 year. This way, they make sure their roots will keep being recognized by Safari.

Sectigo and TBS X509

Sectigo will stop issuing 2-years valid certificates as of August, 19. Orders not delivered at this date won't be canceled but will be delivered as plan.

GlobalSign

The authority will issue 2-years valid certificate up until the deadline on August 31.

Harica

Harica takes the lead and will stop issuing these certificates on August 1st .

Certigna

Certigna will accept new orders until August 15 but will cancel any incomplete order as of August 21.

Any request regarding a 2-years valid certificate with an incomplete file as of August 14 at 16h00 will be canceled.

Group DigiCert

The group DigiCert (DigiCert, Thawte and Geotrust) will accept orders for 2-years valid certificates until August 27 for organisations that are already validated (that have ordered other products recently). For the other organisations the deadline is August 12.

Any request regarding a 2-years valid certificate not issued as of August 26 at 17h00 will be canceled.

TBS position

TBS might stop selling the concerned products before the dates indicated above to take account of the processing times and to ensure all the certificates deliverance.

Useful links