Starting September, Apple Won’t Support SSL & TLS Issued for More than 398 Days

From September 1 onwards Apple’s browser Safari will not support SSL and TLS certificates issued for periods longer than 398 days.

This is the equivalent of one year, with the renewal grace period included. The reason for this change is improving web security, as Apple explained in an announcement released earlier this year.

Who is affected by Apple’s change of certificate validity?

TLS server certificates issued by the Root CAs (certificate authorities) preinstalled with iOS, iPadOS, macOS, tvOS, and watchOS. In addition, this change regards TLS server certificates issues on September 1, or after this date, 2020. Certificates issued before this dare are not affected.

Since Apple is enforcing this immediately, any connections to TLS servers that don’t meet the new requirements will be denied. Furthermore, Apple is not the only company embracing such a change. Google and Mozilla followed with their own suggestions of the same length of certificate validity.

Also Read Setup and Install an SSL Certificate The Easy Way

Here are several important notes that Apple shared in the announcement earlier this year:

– Validity period is defined in line with RFC 5280, Section, as “the period of time from notBefore through notAfter, inclusive.”
– 398 days is measured with a day being equal to 86,400 seconds. Any time greater than this indicates an additional day of validity.
– We recommend that certificates be issued with a maximum validity of 397 days.
– This change will not affect certificates issued from user-added or administrator-added Root CAs.

Why are companies enforcing this change concerning the life cycle of certificates? One reason is the safety of their users. It can be quite challenging to replace certificates with longer lifespan, especially when facing security incidents. T

his may be considered an effort in avoiding the prolonged response to security threats. In addition, certificates with shorter lifespan can reduce the window of exposure in case a TLS certificate is compromised in any way.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.