By now you’ve likely heard about Apple’s announcement at the February 2020 Certificate Authority/Browser Forum meeting that they will no longer accept publicly trusted TLS web server certificates valid for longer than 398 days after Sept. 1, 2020, in the Mac OS and iOS platforms. The CA/B Forum had previously voted down an initiative to reduce public TLS certificate lifetimes from two years to one year. Yet Apple decided to unilaterally take this reduction path. Other browsers are discussing a similar implementation. This affects every CA and website owner.
Website owners need to prepare
CAs will have to ensure they only issue one-year certificates after Sept. 1. This is because Apple will treat any certificates issued from roots in their platform valid for more than 398 days as a “policy violation,” meaning CAs could face disciplinary action from Apple. Such action could be as minor as a warning or as significant as CA distrust. CAs use root certificates common to all browsers to issue TLS certs. If they didn’t, users would experience errors when accessing websites from different browsers.
Website owners that currently use two-year website certificates will only be able to obtain one-year certificates as of Sept. 1. Any certificates that are currently valid for two years and issued before Sept. 1 will remain valid.
Private TLS and all other certificate types not affected
This change does not affect private TLS certificates; such as certificates issued from custom roots, code signing, email certificates or any other type of non-TLS certificates.
If you use or issue these types of certificates, you can continue to do so up to the validity period defined by the platform.