This is the equivalent of one year, with the renewal grace period included. The reason for this change is improving web security, as Apple explained in an announcement released earlier this year.
Table of Contents [hide]
Who is affected by Apple’s change of certificate validity?
TLS server certificates issued by the Root CAs (certificate authorities) preinstalled with iOS, iPadOS, macOS, tvOS, and watchOS. In addition, this change regards TLS server certificates issues on September 1, or after this date, 2020. Certificates issued before this dare are not affected.
Since Apple is enforcing this immediately, any connections to TLS servers that don’t meet the new requirements will be denied. Furthermore, Apple is not the only company embracing such a change. Google and Mozilla followed with their own suggestions of the same length of certificate validity.
Also Read Setup and Install an SSL Certificate The Easy Way
Here are several important notes that Apple shared in the announcement earlier this year:
– Validity period is defined in line with RFC 5280, Section 220.127.116.11, as “the period of time from notBefore through notAfter, inclusive.”
– 398 days is measured with a day being equal to 86,400 seconds. Any time greater than this indicates an additional day of validity.
– We recommend that certificates be issued with a maximum validity of 397 days.
– This change will not affect certificates issued from user-added or administrator-added Root CAs.
Why are companies enforcing this change concerning the life cycle of certificates? One reason is the safety of their users. It can be quite challenging to replace certificates with longer lifespan, especially when facing security incidents. T
his may be considered an effort in avoiding the prolonged response to security threats. In addition, certificates with shorter lifespan can reduce the window of exposure in case a TLS certificate is compromised in any way.