Sysadmins rage over Apple’s ‘nightmarish’ SSL/TLS cert lifespan cuts plot
Max validity down from 398 days to proposed 45 by 2027
Apple wants to shorten SSL/TLS security certificates' lifespans, down from 398 days now to just 45 days by 2027, and sysadmins have some very strong feelings about this "nightmarish" plan.
As one of the hundreds that took to Reddit to lament the proposal said: "This will suck. My least favorite vendor manages something like 10 websites for us, and we have to provide the certs manually every time. Between live and test this is gonna suck."
The Apple proposal, a draft ballot measure that will likely go up for a vote among Certification Authority Browser Forum (CA/B Forum) members in the upcoming months, was unveiled by the iThings maker during the Forum's fall meeting.
Essentially, if the measure is approved by the browser makers and certificate issuers, new TLS certs – needed for things like HTTPS connections to websites – will need to be replaced more often by site owners for web browsers to trust them.
This follows a similar push by Google, which wants to reduce the maximum TLS server authentication subscriber certificate validity to 90 days.
Max lifespans of certs have been gradually decreasing over the years in an ongoing effort to boost, it's argued, internet security. Prior to 2011, they could last up to about eight years. As of 2020, it's about 13 months.
Apple's proposal, if accepted, would shorten the max certificate lifespan to 200 days after September 2025, then down to 100 days a year later and 45 days after April 2027. The ballot measure also reduces domain control validation (DCV), phasing that down to 10 days after September 2027.
And while it's generally agreed that shorter lifespans improve internet security overall — longer certificate terms mean criminals have more time to exploit compromised website certificates — the burden of managing these expired certs will fall squarely on the shoulders of website and systems administrators.
- Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months
- DigiCert gives unlucky folks 24 hours to replace doomed certificates after code blunder
- Firefox's Mozilla follows Google in losing trust in Entrust's TLS certificates
- Entrust faces years of groveling to regain browsers' trust, say rival chiefs
Over the past couple of days, these unsung heroes who keep the internet up and running flocked to Reddit to bemoan their soon-to-be increasing workload. As one noted, while the proposal "may not pass the CABF ballot, but then Google or Apple will just make it policy anyway…"
Google is known for the widely used Chrome and Chromium, and for Apple, Safari and Webkit.
Even certificate provider Sectigo, which sponsored the Apple proposal, admitted that the shortened lifespans "will no doubt prove a headache for busy IT security teams, juggling with lots of certificates expiring at different times."
The solution, according to Sectigo's Chief Compliance Officer Tim Callan, is to automate certificate management — unsurprising considering the firm sells software that does just this. "Automated certificate lifecycle management is going to be the norm for businesses moving forward," Callan told The Register.
However, as another sysadmin pointed out, automation isn't always the answer. "I've got network appliances that require SSL certs and can't be automated," they wrote. "Some of them work with systems that only support public CAs."
Another added: "This is somewhat nightmarish. I have about 20 appliance like services that have no support for automation. Almost everything in my environment is automated to the extent that is practical. SSL renewal is the lone achilles heel that I have to deal with once every 365 days."
Until next year, anyway. ®