The developers of the Chromium project made a change that sets the maximum lifespan of TLS certificates to 398 days (13 months).



The condition is valid for all public server certificates issued after September 1, 2020. If the certificate does not match this rule, the browser will reject it as invalid, and specifically respond with an error ERR_CERT_VALIDITY_TOO_LONG.



For certificates received before September 1, 2020, trust will be preserved and limited to 825 days (2.2 years), as it is today.



Previously, the restrictions on the maximum lifetime of certificates were introduced by the developers of the Firefox and Safari browsers. The change also comes into force on September 1 .



This means that websites that use SSL / TLS certificates with a long lifespan issued after the cut-off point will generate privacy errors in browsers.







Apple was the first to announce a new policy at a CA / Browser forum in February 2020 . By introducing the new rule, Apple promised to apply it on all iOS and macOS devices. This will put pressure on website administrators and developers to keep their certificates up to date.



Reducing the lifetime of certificates has been discussed for months by Apple, Google, and other CA / Browser contributors. This policy has its advantages and disadvantages.



The goal of this step is to increase website security by making sure that developers use certificates with the latest cryptographic standards, and to reduce the number of old, forgotten certificates that could potentially be stolen and reused for phishing and malicious drive-by attacks. If attackers can break the SSL / TLS cryptography, the short-lived certificates will allow people to migrate to more secure certificates in about a year.



Shortening the validity of certificates has some disadvantages. It was noted that by increasing the frequency of certificate replacement, Apple and other companies are also making life a bit harder for site owners and companies that must manage certificates and compliance.



On the other hand, Let's Encrypt and other certification authorities encourage webmasters to implement automated procedures for renewing certificates. This reduces human overhead and the risk of errors as the frequency of certificate replacement increases.



Let's Encrypt is known to issue free HTTPS certificates that expire after 90 days and provides tools to automate renewals. So now these certificates fit even better into the overall infrastructure as browsers set a maximum expiration limit.



This change was put to the vote by members of the CA / Browser Forum association, but the decision was not approved due to the disagreement of the certification authorities .

results

Certificate publishers vote

For (11 votes) : Amazon, Buypass, Certigna (DHIMYOTIS), certSIGN, Sectigo (formerly Comodo CA), eMudhra, Kamu SM, Let's Encrypt, Logius, PKIoverheid, SHECA, SSL.com



Against (20) : Camerfirma, Certum ( Asseco), CFCA, Chunghwa Telecom, Comsign, D-TRUST, DarkMatter, Entrust Datacard, Firmaprofesional, GDCA, GlobalSign, GoDaddy, Izenpe, Network Solutions, OATI, SECOM, SwissSign, TWCA, TrustCor, SecureTrust (formerly Trustwave)



Abstained (2 ) : HARICA, TurkTrust

Certificate Consumer Voting

For (7) : Apple, Cisco, Google, Microsoft, Mozilla, Opera, 360



Against : 0



Abstained : 0

Browsers now enforce this policy without the consent of CAs.