How Apple’s New SSL Validity Limit Will Affect You
A change in Apple’s policy regarding the maximum validity of SSL certificates is set to reduce the lifespan of SSLs issued by major Certificate Authorities across the industry. In February of this year, the tech giant announced that from September 1, 2020, it would stop trusting issued SSL certificates with a validity period greater than 398 days. Following this announcement, Google and Mozilla said that they would implement the same policy.
This means that SSL certificates issued on or after September 1st, 2020, must have a validity period of less than 398 days or they will not be trusted by Apple’s Safari browser, Google Chrome, or Firefox.
Apple has also stated that any connection with an SSL that violates these new requirements will fail, so beyond stopping websites from loading, it could also impact apps and systems communicating over TLS. To prevent customers from facing potential issues, Certificate Authorities will stop issuing 2-year SSL certificates and start limiting the validity of issued SSLs to 398 days — a 1-year certificate.
What Does This Mean for Namecheap Customers?
Sectigo — Namecheap’s SSL certificate vendor — will implement this change from August 19, 2020. This means that any SSL purchased from Namecheap and activated on or after August 19th will be issued for a maximum of 398 days.
However, Namecheap will continue offering SSL certificates of up to five years. SSLs purchased for a longer time period are better value for customers, providing lower yearly prices and protection from industry price increases.
To comply with the new requirements, if you purchase an SSL of up to five years and activate it on August 19th or after, it will need to be reissued and reinstalled on your server annually. We will always send you an email reminder 30 days before it’s time for reissue.
What If I Already Have a 2-year SSL Issued?
Until now, the validity limit of issued SSLs has been two years (or 27 months). The new lifetime limit of 398 days will only impact SSL certificates issued on or after September 1st, so if you already had a two-year SSL issued, it will remain valid and trusted until its original expiration date. However, as stated above, SSL certificates purchased from Namecheap and activated on August 19th or later will be issued for a maximum of 398 days.
If you already had an issued 2-year SSL purchased from Namecheap and need to have it reissued on or after August 19th, a new SSL will be issued for either 398 days or, if you have fewer than the 398 days left on your initial SSL certificate, the number of days you have remaining. If after 398 days you still have days remaining on your certificate, you can get it reissued again to use up the remaining time period.
While giving issued SSLs shorter lifespans means a little more work for everyone, it does have security benefits. SSL key rotation will be more frequent and Certificate Authorities in turn will need to perform more frequent checks on website owners. Phasing out certain types of certificates (such as those with weak hash algorithms) will also be a faster process than before. All of this adds up to a more secure experience for you and your website visitors.