SSL or Transport Layer Security (TLS) certificates are commonly used to securely encrypt information sent from a hosting web server to a user’s web browser window. TLS certificates are used by many online businesses such as Google, Amazon, and other websites which deal with sensitive and personal data.
Users can verify they have navigated to a secure website by looking for the secure padlock icon in their browser address bar.
This icon helps reassure the user identity of the website has been validated by a third-party, and that information and transaction interactions are being secured from the web server to the end user’s web browser.
Certificate Validity Period Change
In an effort to cycle out certificates that are being used to perpetuate malware, phishing, or other malicious operations, the major web browser manufacturers have decided to reduce the web browser’s TLS certificate validity period check time frame down to 398 days (slightly more than one calendar year). This change will take effect for new certificates issued by a Certificate Authority (CA) after September 1, 2020.
Starting September 1, 2020, users will get a warning in their web browser the website may not be trustworthy and a recommendation the user should navigate away from the site if a security certificate was issued for a validity period longer than 398 days.
Certificates issued prior to September 1, 2020 with a longer time period will not show this error – only new TLS certificates issued after this date.
Why Is This Changing?
By rotating certificates more frequently, it is more likely that any malware, phishing and/or website hijacking attempts will be identified sooner.
The length of a certificate validity period has been an on-going security topic with the web browser manufacturers and the CA community for many years. The primary drivers behind this change are the major web browser vendors (Apple, Microsoft and Google). To avoid confusion for users, the CA’s have opted to align their practices with this new stance.
According to the global statistics collected by W3 Counter in July 2020, Google Chrome alone accounted for 61 percent of traffic while Apple, Google and Mozilla combined account for 82 percent of the current browser market:
Web browser market share from W3 Counter
How Does This Change Impact Me?
The major area impacted by this change will be your certificate maintenance processes. This change impacts any application that uses certificates to securely encrypt data.
- Public websites using a CA-issued certificate
- Self-signed certificates used by non-production/testing applications
- Other direct secure server-to-server communications protocols (ie – SLDAP)
Certificate Management Process Changes
| Current | Post September 1, 2020 Changes | |
| Certificate Validity | 2 or more years | 1 year/398 days |
| Certificate Renewal | Staggered certificate renewal | Yearly renewal |
| Application Keystore | Updated when certificates expire | Yearly update |
Recommendations
- Review and inventory your current list of applications and websites using TLS certificates and their expiration dates, to prevent last-minute service issues or website downtime
- Investigate the option of using a central network appliance such as a load balancer to host your certificates vs. deploying them on individual web servers
- Investigate the option of using a wildcard certificate for your websites vs. individual server-hosted certificates
To learn more about how SIG can assist in managing TLS certificates as part of your IT infrastructure, contact us to learn more.