Starting on September 1st, Apple’s Safari browser will not trust SSL certificates issued for longer than a one-year period. What does this mean for website owners and what actions should be undertaken?
The unilateral decision made by Apple will have consequences for all SSL users – essentially meaning all websites. If you do not have SSL properly installed and configured on your website by 2020, it is recommended that you catch up immediately.
SSL certificates issued after September 1st 2020
The change mentioned applies only to SSL certificates issued starting on September 1st, 2020. If you ordered and received a certificate valid for 2 years, prior to September 1st, you do not need to do anything. The certificate will function properly for its whole duration.
Does the change only apply to Apple users?
No, the change applies to everyone. The Safari browser market share is currently at 13% as of February 2020, and is large enough not to be ignored.
However, we anticipate other browsers (Chrome and Firefox) to follow. This will also mean SSL vendors will stop issuing SSL certificates for longer periods.
SSL certificates valid for multiple years
Not so long ago SSL certificates were being issued for as many as 5 years. It was very convenient for website owners, however, posed serious threats not only for a particular website, but the SSL ecosystem overall.
We remind you that renewal of an SSL certificate essentially means issuing a completely new certificate which must be installed on the server that hosts your website or application. This requires manual action or reaching out to customer support of your hosting company.
Algorithms previously used for encryption (taking into consideration consistently growing available computing power) no longer provide the required level of security. The SHA-1 algorithm had to be replaced with the much newer and harder to break SHA-256.
This is another reason SSL vendors disappeared from the market. An example is Symantec, which was acquired and replaced by Digicert in 2018.
As a consequence, previously issued certificates were to be replaced with new ones, in order to maintain high level of security and reputation of the SSL ecosystem as a whole.
Faster turnaround of SSL certificates resulting from their shorter validity periods reduces the amount of less secure certificates still being used. Faster turnaround also encourages more frequent key generation.
Certificates valid for 4 and 5 years stopped being issued in 2015. In 2018, the last certificates valid for 3 years were issued. Up until now, 2-year certificates have been common.
Since September 2020, SSL certificates will be issued for a maximum period of 398 days. It is longer than exactly one year, as it might include additional grace period for renewals. You can apply for a new certificate while the old one is still valid. It is especially important for OV and EV certificates, as they are not issued instantly. If your SSL certificate is about to expire, you should take action ahead of time. Even website unavailability for a short duration of time caused by non-working SSL certificates could mean a huge loss of profits.
Why is it important for a software house customer?
When choosing a company to develop your website, application, or an online store, you need to consider many factors.
One of them is range of services a software house can offer, which also includes post-sales support. Can your software house guarantee that your website will be properly working after deployment? What are their procedures in case something goes wrong? Do you have to contact many companies in order to know what actually happened?
At Dotinum, we do not only develop and maintain your website or application. At Dotinum, we are backed by a reputable domain registrar, (a hosting company owning its infrastructure), as well as one of the largest SSL certificate resellers in Poland.
Therefore, we are able to offer you a “one point of contact” solution. In case anything unfortunate happens, or you simply have a question, we can provide answers. If we host or manage your server infrastructure too, it is our responsibility to find out if your inquiry relates to the server or the application.
If you have ever heard from your website creator “it is not us, please ask the hosting company” it might be a good idea to consider a full service provider.