The maximum life-time of Entrust public certificates will be reduced to 398 days because Apple will change the policy in the Safari browser

Apple informed in the CA/Browser Forum meeting held in Bratislava on week 8 that starting from 1.9.2020 the Safari browser will accept only new SSL certificates which are valid at most for 398 days. There will be a warning if the life-time exceeds this value. Certificates created before 1.9.2020 may have also longer life-times (e.g. 2 years). As a result also Entrust Datacard has announced that in the future the maximum life-time of Entrust certificates will be reduced to 398 days. We will inform our customers when this change is official.

In the background there is the Ballot SC22 which was made by the browser vendors in the CA/Browser Forum in September 2019 and which proposed that the maximum life-time of all public SSL certificates should be reduced to one year (+ 1 month). The certificate vendors (CAs) made questionnaires and got responses from some 3800 customers. Over 80% of the customers stated that the added security does not justify the additional work needed in the certificate management. So the Ballot was rejected by the CA/Browser Forum.

This unilateral announcement by Apple probably does the same as Ballot SC22 would have done. Apple has not yet released the official Knowledge Base article but when it is release, the effect is powerful. Typically everybody wants to have a web site also visible in Safari without warnings so it is best to keep the life-time max at 398 days. Entrust has therefore also responded quickly.

Effects to our customers

This change does not have effect to those of our customers, who have already now created SSL certificates with life-time of one year. For those customers who have used the maximum life-time of two years for certificates this change will probably cause more work with certificate management.

Entrust has lately implemented to the ECS portal (Entrust Certificate Services) many new tools for automating certificate management. We will help gladly our customers to start using them. At the moment there are for example the following possibilies:

  • Support for ACME protocol in the ECS portal
  • REST API interface in the ECS portal
  • Ansible module for automating certificate management
  • Entrust Turbo installation method (for IIS environments)

However it is not possible to automate all certificate management. Wesentra has extensive experience in managing certificates with the ECS portal and according to the best practices. We are happy to share this experience and help our customers.

Our customers using duplicate certificates – please note

Many of our customers are using free-of-charge duplicates of wildcard and multi-domain certificates to reduce the costs of having the same certificate on multiple servers in a secure way. Here is a scenario of a situation which the Apple policy change may cause:

  1. A wildcard certificate has been made so that it expires on 30.12.2021.
  2. Duplicates of this certificate have been made to several servers
  3. All of these are ok also for Safari, as they have been made before 1.9.2020
  4. A need arises to create a new duplicate after 1.9.2020
  5. Safari will not accept this duplicate because it has been made after 1.9.2020 and its life-time is more than 389 days

If you have this situation, please contact us: support(at)wesentra.com

More info: https://www.wesentra.com or info(at)wesentra.com

Leave a Reply