APPLE CHANGES SUBSCRIPTION LIMITS ON TLS/SSL SERVER CERTIFICATES
Recently, at a Certification Authority Browser Forum, Safari announced it won’t allow new HTTPS certificates that expire after 13 months from when first created. Certificates once were delivered with a maximum legitimacy of three years, then they reduced to 2 years and now we are at just over a year. The team at Entrust Datacard have recently released a webinar that outlines the new rules from Apple – watch here:
Here’s the direct message from Apple (article can be found here: https://support.apple.com/en-us/HT211025)
“TLS server certificates issued on or after September 1, 2020 must not have a validity period greater than 398 days.
This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Additionally, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change.
Connections to TLS servers violating these new requirements will fail. This might cause network and app failures and prevent websites from loading.”
The implications of this meant that websites (and all macOS and iOS devices) utilising SSL/TLS certificates that were delivered after the cut-off point will be faced with privacy errors in Apple’s browser causing all sorts of issues for many enterprises across the spectrum.
To be more specific, this meant that any new sites that had valid certificates in place for over 398 days would not be considered ‘trusted’ by Safari and would be deemed invalid, whereas certs prior to that deadline will remain unchanged and legitimate.
This adds a significant amount of work for web admins and system developers that now need to ensure all certs are met by Apple’s updates rules and regulations, if they don’t clean this up there could be great risk involved.
Another complication for website operators and businesses is compliance and management of certificates with shorter lifespans. Companies will need to automate implementation of certificates as much as possible to avoid errors in replacing them. It can quickly become a mine field of outdated certs across hundreds (or thousands) of web pages, and can create a huge backload of work for already busy developers and IT teams.
Apple claimed that this action was to protect its users, but it’s evident that longer certificate timelines prove difficult in replacing certificates and it’s a response to deterring any major threats to certificate-related longer term risk.
Recently, we have teamed up with the Entrust Datacard team to offer a ‘Buy Three Years for the Price of Two’ subscription model to customers who need to update their SSL certificates. This gives customers access to an automated subscription plan with unlimited server licensing and unlimited re-issues, allowing ease of compliance with the new Apple SSL expiry mandate.