As of tomorrow, all TLS and SSL certificates (opens in new tab) will be valid for a maximum of 397 days (13 months), down from two years.
From September 1 onwards, all major browser and OS developers (Microsoft, Apple, Google, etc.) will consider two-year TLS/SSL certificates invalid, according to a Bleeping Computer (opens in new tab) report.
In short, this means if you still want to a certificate valid for two years, you had better purchase one today. Anyone that currently holds a TLS or SSL certificate valid for longer than 13 months need not worry – they will remain valid until their previously established expiry date.
Security professionals and browser developers have been advocating for a shorter lifespan for these certificates for a number of reasons, including greater security and the ability to ensure unauthorized users are not able to use them for too long.
The shorter certificate lifespace will also make for easier changes when security researchers find vulnerabilities in encryption algorithms and will prevent hosting providers or third parties from using a certificate long after a domain becomes inactive.
Despite resistance from certificate authorities (opens in new tab), Apple decided to proceed with the changes regardless - and Google and Mozilla quickly followed. As a result, certificate authorities were forced to agree and cut the best before date by almost half.
- Free HTTPS certificates for everyone (opens in new tab)