Chromium developers made a change, which sets the maximum lifetime for TLS certificates to 398 days (13 months).

The condition applies to all public server certificates issued after September 1, 2020. If the certificate does not match this rule, the browser will reject it as invalid, and specifically respond with an error ERR_CERT_VALIDITY_TOO_LONG.

For certificates received before September 1, 2020, trust will be maintained and limited to 825 days (2,2 years), like today.

Previously, the limit on the maximum lifetime of certificates was introduced by the developers of the Firefox and Safari browsers. Change too comes into force on September 1.

This means that websites using long-life SSL/TLS certificates issued after the cut-off point will generate privacy errors in browsers.

Apple was the first to announce the new policy at a CA/Browser forum meeting. in February 2020. In implementing the new rule, Apple promised to enforce it on all iOS and macOS devices. This will put pressure on website administrators and developers to get their certificates up to par.

Reducing certificate lifetimes has been discussed by Apple, Google, and other CA/Browser contributors for months now. This policy has its advantages and disadvantages.

The goal of this move is to improve website security by making sure developers use certificates with the latest cryptographic standards, and to reduce the number of old, forgotten certificates that could potentially be stolen and reused for phishing and malicious drive-by attacks. If attackers can break the cryptography in the SSL/TLS standard, short-lived certificates will allow people to move to more secure certificates in about a year.

Reducing the validity period of certificates has some disadvantages. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making things a little more difficult for site owners and companies that need to manage certificates and compliance.

On the other hand, Let's Encrypt and other certificate authorities encourage webmasters to implement automated procedures for renewing certificates. This reduces human overhead and the risk of errors as the frequency of certificate replacement increases.

As you know, Let's Encrypt issues free HTTPS certificates that expire after 90 days and provides tools to automate renewal. So now these certificates fit even better into the overall infrastructure - as browsers set a limit on the maximum validity period.

This change was put up for a vote by members of the CA/Browser Forum, but the decision was not approved due to the disagreement of the certifying centers.

The results

Certificate Publisher Voting

For (11 votes): Amazon, Buypass, Certigna (DHIMYOTIS), certSIGN, Sectigo (former Comodo CA), eMudhra, Kamu SM, Let's Encrypt, Logius, PKIoverheid, SHECA, SSL.com

Against (20): Camerfirma, Certum (Asseco), CFCA, Chunghwa Telecom, Comsign, D-TRUST, DarkMatter, Entrust Datacard, Firmaprofesional, GDCA, GlobalSign, GoDaddy, Izenpe, Network Solutions, OATI, SECOM, SwissSign, TWCA, TrustCor, SecureTrust (former trustwave)

Abstained (2): HARICA, TurkTrust

Certificate Consumer Voting

For (7): Apple, Cisco, Google, Microsoft, Mozilla, Opera, 360

Против: 0

abstained: 0

Browsers now enforce this policy without the consent of CAs.

Source: habr.com