View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Software
February 21, 2020updated 26 Jul 2022 10:33am

Apple Unilaterally Slashes TLS Certificate Trust Period

ACME protocol, supported by more than 130 open source tools, might help ease the pain for website owners...

By CBR Staff Writer

Apple is planning to more than halve how long its Safari browser will trust TLS certificates, cutting the time to just 13 months, putting fresh pressure or organisations to get their certificate management practices in shape.

As of September 1, 2020, Apple is setting a hard trust limit of 398 days. (The current acceptable duration is 825 days). Certificates issued on or after that date with term beyond 398 days will be distrusted in Apple products.

In theory, shorter maximum validity periods for such certificates boost website security through more regular generation of new keys. The impact is likely to be considerable for end-users, given that Safari has an estimated browser market share of 17+ percent, second just to Google Chrome.

The company has not publicly confirmed the decision, announced unilaterally at the Certificate Authority/Browser Forum this week, but the move has been confirmed by CAs who have taken the opportunity to press businesses to move away from manual certificate management processes.

The move is the latest in a long-running clash between Certificate Authorities (CAs) and Browser vendors, with the latter favouring shorter periods and CAs saying customers fear business disruption as a result. Many observers expect Google to take a similar step with Chrome in the near future.

Apple’s move comes after a 2019 CA/Browser Forum ballot sought to make one year lifespans the norm. The bid failed, with 20 opposed to the motion, 18 in favor and two abstentions. CAs said 4,000 customer survey aggregate results from three CAs showed website owners opposed the change by 83 percent.

Arvid Vermote, CISO, GlobalSign, told Computer Business Review: “This decision comes on the heels of a lively debate among the browsers, CAs, and SSL users on where the operational vs. security spectrum maximum validity dates should follow. GlobalSign applauds the lean towards increased security given recent experiences that demonstrate the need for an agile response to any compromise to the CA ecosystem.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The company’s “products, APIs and related tools” are ready to adapt to the new requirement, in both compliance and operational overhead he added.

“Welcome to the new age of certificate agility!”

See also: Microsoft Teams Takes a Tumble after Cert Expires

Tim Callan, a Senior Fellow at Sectigo added: “TLS certificate automation is greatly aided by the emergence of the ACME protocol (Automated Certificate Management Environment), which can fully automate key generation, domain control validation, certificate creation, and installation on the server.

He added: “The protocol is supported by more than 130 open source tools that work with the most popular operating systems, including Apache, IIS, NGINX, F5 BIG-IP, and Citrix NetScaler. For small business certificate users, new SSL subscription services make it possible to automate the delivery of one-year certificates over the course of up to five years, without having to go through a new certificate request process every time.”

“These innovations greatly reduce the burden on businesses of moving strictly to single-year certificates.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.