Later this year, Sarafi, that well known browser from the land of Apple, will no longer accept HTTPS certificates with a life of more than 13 months. This means that a lot of users of the internet will no longer be able to browse to sites that use longer duration certificates.
It is common for domains to be registered for years at a time, and at one point it was also common for SSL certificates to be purchased for similar durations. This reduces the overhead on IT staff having to frequently renew and update certificate information.
More recently with the advent of LetsEncrypt, shorter duration certificates are becoming more common place, however, most certificate issuers don’t have a simple way to manage and update the servers like LetsEncrypt.
While shortening the lifetime of a certificate does have its drawbacks (time in management and renewal being the main one), it does have its advantages – replacing them more often means that typically better security practices and encryption levels are stuck to. It also reduces the time of exposure (and risk) should a certificate be leaked.
Several large and well known sites currently use 2 year certificates, these would all need changing to single year ones going forwards to avoid issues.
Is it right for browser creators to put pressure on website owners like this? Making decisions on how long they can purchase certificates for?