SSL certificates are changing - here's what you need to know

1st September 2020…

Whether you run a single website or you’re a developer of multiple sites, you might want to lightly pencil this date into your diary.

Why?

It’s the date that some notable changes are being rolled out to SSL certificates across the entire industry.

Some of the world’s leading browser developers – including Apple, Google and Mozilla – have announced that from 1st September, they will no longer trust any newly-issued SSL certificates that have a lifespan of more than 398 days.

In this blog, we’ll look at these changes in more detail and outline how tsoHost plans to adapt to them.

What do the changes mean?

Essentially, if you add an SSL certificate to your site that has a lifespan of longer than 398 days after 1st September 2020, major browsers will tell visitors to your site that it’s not safe to browse there.

Google Chrome will display a ‘your connection is not private warning’.

Mozilla will show a ‘Warning: Potential Risk Ahead’ sign.

And Apple Safari will display a ‘This connection is not private’ alert.

What are the reasons for the changes?

One major factor underlies these changes to SSL lifespans and that’s security.

Mozilla has described two particular ways the move to limit lifespans should contribute to improved security. These are:

Promotion of crypto agility: Mozilla said: “Certificates with lifetimes longer than 398 days delay responding to major incidents and upgrading to more secure technology.”

Limitation of exposure to compromise: Mozilla said: “Keys valid for longer than one year have greater exposure to compromise, and a compromised key could enable an attacker to intercept secure communications and/or impersonate a website until the TLS certificate expires.”

For a full list of arguments and reasons for limiting the lifetime of SSL certificates, you can visit the CA/B website.

If you’ve never heard of it before, CA/B is the volunteer organisation that has been agreeing the rules on how TLS certificates are issued, managed, and validated since 2005.

How is tsoHost planning to adapt to the changes?

From 31st July, tsoHost will stop selling two-year SSL certificates to customers.

We’ve made the decision to stop selling these certificates earlier than the deadline imposed by the browser developers, to ensure the change goes as smoothly as possible.

See below for more details.

What do the changes mean for existing tsoHost customers?

If you bought a new two-year SSL certificate or renewed an existing one before 31st July

The browsers will recognise that you bought your SSL/s before they implemented their changes and your certificate will continue to work as usual until it expires.

IMPORTANT: you must validate and issue your SSL with our Certificate Authority before August 31st for the above to apply. If you have not completed these steps, and you need to (re)issue the certificate after the deadline, only one-year certificates will be available.

If your existing two-year SSL certificate is due for renewal after 31st July

Unfortunately, we won’t be able to renew your certificate for two years. Instead we will renew it for one year.

Wider reading

To read deeper into the subject of SSL lifespans, take a look at the following articles...

Reducing TLS certificate lifespans to 398 days, by Mozilla.

About upcoming limits on trusted certificates, by Apple