At the 49th meeting of the CA/Browser Forum held in February 2020, Apple announced that it will limit the term of accepted SSL (TLS) certificates to 398 days as of September 1, 2020. Certificates issued on or after that date with a term beyond 398 days will be distrusted in Apple products and display privacy errors to end users navigating websites in the Safari web browser (see example error below).
Certificates issued prior to September 1 will have the same acceptable duration as certificates do today, which is 825 days. Existing two-year certificates will operate correctly for their full duration. No action is required for these certificates. Two-year certificates, if renewed after August 31, 2020, will need to be renewed for one year to remain trusted in the Apple platform.
For clients who have opted to provide CivicPlus with their own certificates, after August 31, 2020, provided certificates must not exceed a validity period longer than 398 days to remain in compliance with Apple certificate trust requirements.
Clients using CivicPlus-provided certificates will not have to take any action. CivicPlus automates the issuance and delivery of individual SSL certificates, each of which is currently one year in duration, to ensure certificates on websites are updated and valid. Also, keeping with security best practices as validity terms are reduced by browsers and certificate authorities, CivicPlus is committed to keeping SSL certificates in compliance with all supported browsers.
For more information on the history and benefits of this change, we recommend reading this article.
The CA/Browser Forum also lists the benefits of reduced certificate lifetimes in the proceedings of their official ballot held in September 2019.