Back in February of this year, Apple announced that as of September 1, 2020, its Safari browser will no longer trust newly registered SSL certificates with validity periods of two years. Two-year certificates registered up until August 31, 2020, will be trusted, but those registered on or after September 1, 2020, will not. To prevent incompatibility with specific browsers, OpenSRS will implement a one-year max on SSL certificates in our system, as of August 15, 2020. Below we provide a bit of background information behind this change and, most importantly, outline what it means for OpenSRS resellers.
Why are SSL/TLS validity periods being reduced to 1 year?
In the lead up to this change, there’d been for years an ongoing discussion in the Certificate Authority/Browser community around validity periods. On the one hand, shorter validity periods improve security by reducing the window of exposure if a certificate is compromised, and ensuring certificate holders are regularly updating their information (company name, address, active domains, etc). On the other hand, shorter validity periods mean more work for certificate users.
Just a few years ago, the maximum validity period was reduced from three years to two. Back in August of 2019, ballot SC22, which proposed a further reduction to one year, failed to pass at the CA/Browser Forum (the industry’s self-governing body). Apple then made the independent decision to enforce this new maximum as part of their “ongoing efforts to improve web security” for Safari users. And when one of the major browsers imposes a change, the industry accommodates.
How will this change SSL/TLS registrations on OpenSRS?
As of August 15 OpenSRS will only offer one-year validity periods for all our SSL certificates. Here’s what this will look like:
- As of August 15, the Reseller Control Panel will only provide the option to register certificates for one year
- As of August 15, all API requests to register (sw_register) or update an SSL order (update_order) must be submitted with a period value of 1, or without any period value. Submitting a period value other than 1 will generate an error.
Engaging with your customers
While this change may create a bit more work for website admins, it also creates a great opportunity for you to reach out to your customers and sync up about their SSL and security needs. Some may want to take advantage of the current two-year period and repurchase their certificates prior to August 15.