What is the Maximum Validity Period of TLS/SSL Certificates?
TLS/SSL certificates cannot be issued for more than 13 months (397 days), as announced by popular browsers, like Google and Apple at CA/Browser Forum in March 2020. This has reduced the certificate validity period from three or two to just over a year. From a security standpoint, shrinking certificate validity is beneficial for two reasons primarily:
- Faster implementation of updates: Shorter validity period facilitates algorithm upgrades, and faster certificate and key replacements, especially during malicious cyber-attacks. The less time required to deploy changes and updates, the lower is the security risks. A longer certificate lifespan means it would take a long time to set up updates, for instance, the transition from SHA-1 to SHA-2 took almost three years, which increases security threats.
- Validating identity: The purpose of digital certificates, like TLS/SSL certificates, is to verify the identity of the website or website owner. A longer certificate lifespan means long expiration of validation, which fuels the exposure to security lapses.
2022 Ponemon Report: The State of Certificate Lifecycle Management in Global Organizations