SSL/TLS certificates allow an authenticated communication between a browser and a web server, while at the same time verifying the identity of the domain that holds the certificate. The lifespan of the certificate shall have a fixed life cycle. This is defined by the ‘Valid From’ and ‘Valid To’ attributes. If the credential expires, it cannot be used any longer and must be replaced or renewed.
Effective September 1, the TLS / SSL certificate’s lifetime has been shortened from 825 days to 398 days or less, potentially impacting hackers or individuals who have malicious intentions against any organization. In addition, this is endorsed by several CA owners, including DigiCert, Atos, Buypass, GoDaddy, Entrust, and many others.
Why Shorter Certificate Validity?
The most significant and primary advantage is that the revocation mechanism is “absolutely destroyed.” Often attackers use a private key to get a website license. In some cases, anyone in the business accidentally reveals the key online. If the condition poses a clear argument for revocation, or whether the granting CA no longer finds the credential trustworthy.
Secondly, more regular renewal could contribute to more organizations automating the phase of replacement, which may take some initial initiative and eventually contribute to fewer accidental expiration instances.
WHY BROWSER VENDORS Thought More ABOUT SHORTER TLS CERTS
Apple arbitrarily agreed to introduce a shorter lifetime certificate in February 2020, which resounded through the browser world, essentially preparing the Certificate Authority industry to aggressively embrace a new default life of 398 days for TLS certificates. Following Apple’s initial disclosure, Google and Mozilla have reported similar intentions to enforce the same provision in their browsers.
The key reason is that the weak TLS certificate is often circulated. Usually, if a TLS certificate has been misused for ransomware, phishing, or other activities, the certificate should be revoked by certificate authorities.
However, the certificate revocation process has been a nightmare for years, with relatively few CAs revoking certificates in time, with weak certificates staying valid for years, allowing malicious actors to use and re-use the same certificate for various missions.
If the Certificate Authorities wish the TLS certificates issued after that date to be accepted in the Apple, Google, and Mozilla browsers, the certificate must not have a lifetime of longer than 398 days. Elsewhen you install it on your servers, all visitors or clients may get an error claiming that the website is not safe and shows that there is an error attempting to access the website. Related to when you’re attempting to enter a domain with a self-signed credential enabled or with a certain generic name in it.
Website owners must renew TLS certificates on an annual basis instead of two years.
End-users can see more HTTPS bugs in their browsers.
The reduced life of the TLS certificate will lead to a rise in operating overheads, as web site management will need to keep a closer eye on expiration dates, as certificates will expire more regularly. In addition, shorter lives would help strengthen the protection of the environment and guard against bad actors.