Reducing SSL/TLS Certificate Lifespan to 398 Days
Last updated on: October 13, 2020
Update October 13, 2020: Starting with SSL Labs version 2.1.8, a ‘T’ grade is applied to servers with certificates valid more than 398 days and issued on or after September 1, 2020. This change was deployed to dev.ssllabs.com on October 7, 2020 and www.ssllabs.com on October 13, 2020.
In addition, we have changed the color scheme of the summary message to indicate visually it is no longer a warning:
Update September 8, 2020: As indicated in the last paragraph below, SSL Labs now shows a warning message in the summary of the server scan results for servers with certificates valid more than 398 days and issued on or after September 1, 2020.
Original Post: Qualys SSL Labs is making grading changes in support of reducing SSL/TLS certificate lifespan to 398 days, in keeping with evolving industry practice.
The push to limit certificate lifespan to 398 days from the current 825 days has been under way for quite some time now. The CA/Browser Forum has been engaging in discussions with major certificate consumers, leading the charge and proposing for a reduction in the maximum validity period of certificates. The CA/Browser Forum succinctly describes the benefits of a reduced certificate lifetime, and its implementation is expected to largely address many of the issues associated with a long certificate lifetime. It was earlier put to a vote but was largely met with downvotes from the majority of the Certificate Authorities, while the certificate consumers that participated in the voting were in support of reducing the certificate lifetime.
In the months following the failed ballot, first Apple followed by Google and later Mozilla decided to limit the lifetime of certificates to 398 days starting September 1, 2020. Server certificates issued on or after September 1, 2020 must not have validity exceeding 398 days. Certificates that do not comply with this requirement will not work and may cause web browsers to render incorrectly or fail to load. We expect more browsers/applications to take a similar stance sooner rather than later.
How does this affect browser users?
Chrome, Safari and Firefox account for more than 80 percent of browser usage. That makes this move by these vendors very significant for users on the internet. Users of sites whose certificates get distrusted by these browsers pertaining to this enforcement are likely get impacted profoundly. Besides, Apple would enforce the same rule to the certificates chaining to the Root CAs pre-installed with iOS, iPadOS, watchOS and tvOS devices. This is why it has become important for servers to limit their certificates validity to 398 days. That also puts the onus on the Certificate Authorities to limit the validity of the certificates that they issue.
What changes to expect from SSL Labs scan results?
As part of our effort to raise awareness on these developments and minimize the impact of these imminent changes, SSL Labs will show a warning message in the summary of the server scan results for servers with certificates valid more than 398 days and issued on or after September 1, 2020. Later, around October 1, 2020 SSL Labs will start giving a T Grade for the same. During the initial 30 days, we expect affected server certificates to take the necessary mitigation steps so that they don’t get T Grade starting October 1, 2020.
Below, we show a sample summary message for this SSL Labs scan result.
Apple/Google ONLY “Enforced” for Public Trust CA’s Issued Certificates, NOT for ANY Internal/Private Trust CA!
Apple This change will NOT affect certificates issued from user-added or administrator-added Root CAs.
Google This will ONLY apply to TLS server certificates from CAs that are trusted in a default installation of Google Chrome, commonly known as “publicly trusted CAs”, and will NOT apply to locally-operated CAs that have been manually configured.
Please update this Article with the SAME!