Google has been promoting shorter certificate validity within the CA/Browser Forum for years. Although its efforts to push the maximum validity of one year within that scope, which is what sets industry standards, failed due to the opposing vote of the majority of its members, Google finally unilaterally decided to move forward with this restriction, joining the decision already adopted by Apple months earlier, also in an untimely manner.
On June 11, Dean Coclin, emeritus president of the CA/Browser Forum, announced on Twitter that Google will follow Apple's stance in limiting public SSL / TLS certificates starting September 1.
So, what does this really mean for you as a website owner or administrator?
For most people, the restriction that Google will impose doesn't really change anything. Google's announcement is more formal than anything else since when we reported the news in February about Apple's announcement of establishing the one-year validity limit for certificates, we assumed that other browsers would follow similar behavior.
This announcement by Apple last February forced recognized Certificate Authorities to make the decision not to issue certificates with validity periods longer than 398 days, starting September 1, and in that way prevent Internet users from having problems while browsing. This Chrome browser decision generates nothing different from what has already been adopted.
The underlying idea in requiring certificates to have a maximum duration of one year is that a shorter useful life and, therefore, issuance with greater frequency, increases security levels.
How one-year validity affects website administrators
Moving from two years of certificate validity to one year means that the lifecycle is essentially cut in half. This means you will have to be more vigilant than ever about the expiration date and security must be prioritized more than ever.
If you are the site administrator or owner, this change means you will have a bit more work in terms of managing your certificates. The upside is that you will have greater security, generated by:
- Your certificate keys will be rotated more frequently.
- Your certificates will have more current information.
- You don't have to worry as much about technology changes. For example, that the algorithms used become obsolete midway through the cycle and you don't find out, which would make your certificates no longer valid.
This also serves as an important reminder for site administrators: if you want to continue taking advantage of certificates with two-year validity, you should purchase your certificates now so that, barring any revocation, Safari and Chrome will trust them for the next two years. If you choose to wait to purchase your certificates until September 1 or later, you will only be able to request the issuance of certificates with one-year validity.
Google's latest announcement, although it sounds important, is just one more step toward the inevitability of one-year validity for SSL / TLS certificates. As of September 1, 2020, public SSL / TLS certificates will only be issued with a one-year validity period, despite the fact that this was not the consensus among the members of the CA/ Browser Forum.