Google and Mozilla will limit the validity of TLS certificates to 398 days

As of September 1, Google’s Chrome and Mozilla’s Firefox will no longer accept TLS certificates that are valid for more than 398 days. They follow Apple, which announced a similar decision earlier this year. Several certificate authorities are against it.

Officially, Mozilla and Google don’t seem to have announced the move to limit the maximum lifetime of supported TLS certificates to 398 days, but the change is apparent from comments on the Github site for Mozilla’s pki policies and the Chromium project, where Google’s Chrome is based on. It seems likely that Microsoft will also include the change for its Edge on Chromium browser.

Apple announced in March that from September 1, it would only support TLS certificates with a validity of up to 398 days with its Safari browser. The browsers will block certificates with longer validity periods from that date.

During the CA/Browser Forum last September, Google submitted a proposal to end support for TLS certificates with a validity period longer than 398 days. That proposal was not adopted, because nineteen certificate issuers voted against and only eleven in favour, with two abstentions. Of the ‘certificate consumers’, all seven parties voted in favour: Apple, Cisco, Google, Microsoft, Mozilla, Opera and 360. After Apple’s unilateral step, the browser makers are now getting their way in practice.

According to Google, the advantages of shorter TLS certificate lifetimes are that problems last less. The policy is that certificate authorities revoke this in case of abuse, but this procedure can sometimes take a long time. Some certificate issuers see few benefits of the measure and claim to get more work as a result.