Home > iOS, Mac administration, macOS > Apple making changes to maximum lifetime limits for SSL certificates as of September 2020

Apple making changes to maximum lifetime limits for SSL certificates as of September 2020

March 6, 2020 Leave a comment Go to comments

All SSL certificates have a set amount of time which they’re good for, which means that at some point they expire. As an example, the SSL certificate currently used by www.apple.com has the following expiration date and time:

Friday, October 23, 2020 at 8:00:00 AM Eastern Daylight Time

Screen Shot 2020 03 05 at 4 41 31 PM

As of today, March 5th 2020, the maximum lifetime for publicly trusted SSL certificates is 825 days, or roughly 27 months.

Apple has announced that, starting on September 1, 2020 at 00:00 GMT/UTC, all new SSL certificates being issued by specific Root Certificate Authorities (Root CAs) must not have a maximum lifetime longer than 398 days, or roughly 13 months, in order to be accepted as a valid certificate on Apple’s iOS, iPadOS, macOS, watchOS, and tvOS operating systems.

Screen Shot 2020 03 05 at 4 27 54 PM

What certificates are affected?

This does not affect all SSL certificates. It will affect certificates issued on or after the September 1, 2020 start date by the Root CAs which are preinstalled with Apple’s iOS, iPadOS, macOS, watchOS, and tvOS operating systems.

Since these CAs are installed along with the OS, the certificates issued by these Root CAs are trusted by Apple’s OSs without any additional work needed by the end user. These Root CAs include commercial SSL vendors like Go Daddy, DigiCert and other companies.

What certificates are not affected?

Certificates issued by the specified preinstalled Root CAs before the September 1, 2020 start date are not affected. If they have a lifespan longer than 398 days, Apple will continue to accept them as valid until their set expiration date as long as they were issued prior to September 1, 2020 at 00:00 GMT/UTC.

Certificates issued by Root CAs which do not come with the operating system are also not affected. So if your company, school or institution has their own Root CAs , SSL certificates issued by those CAs are not affected by the new maximum lifetime restriction. Those CAs can continue to issue SSL certificates with lifetimes longer than 398 days.

Note: These Root CAs are not trusted by default by Apple’s operating systems. Instead, the Root CA’s root certificate would need to be installed and set as a trusted root by either the user or a system administrator.

Does this affect anyone other than Apple?

As of now, this is a unilateral move by Apple which hasn’t been adopted by other vendors. That said, Google had proposed something similar in September 2019 so it would not be surprising to see Google also adopt this at some point.

Will this affect only web browsers?

SSL certificates are used by a variety of applications and tools to help provide secure communication, so the effects of this change will not be restricted to web browsers like Safari. Non-compliant certificates may result in network services or applications failing to work properly.

Categories: iOS, Mac administration, macOS
  1. Matt R
    March 6, 2020 at 2:39 pm
    Reply

    While this new maximum lifetime limit of 398 days will not impact certificates issued by private Root CAs, can anyone confirm if the previous maximum lifetime limit of 825 days is applied to leaf certificates issued by private Root CAs?

    We have an internal private CA, and all leaf certificates issued by our private CA currently have a 3 year validity period. Per Apple’s new requirements, any TLS server certificate issued after July 1, 2019 can only have a validity period of 825 days or fewer (https://support.apple.com/en-us/HT210176).

    I cannot find any clear answer as to if this should apply to private Root CAs or not. We are seeing some internal sites starting to get blocked on macOS Catalina devices with this longer 3 year validity period, but I was curious if anyone could confirm. Thanks.

    • John Doe
      July 8, 2020 at 12:00 pm
      Reply

      Hi Matt,

      As Der wrote, this should not affect internal root CAs.

      Best of luck with it.

      • zirouan
        August 21, 2020 at 3:12 am

        Hey, I tested this in my environment and is broken, is affecting internal CAs, all certificates are in this scope.
        Is not even Sept 1 yet!
        I had to re-issue SSL/TLS certificate with 397 days.

    • MichalM.Mac
      May 26, 2021 at 4:14 pm
      Reply

      I’ve just run into it with macOS 11.4 Big Sur.

      Since I only read https://support.apple.com/HT211025 (max lifetime: 397) which states: “This change will not affect certificates issued from user-added or administrator-added Root CAs.” I made an assumption 3 year cert would be OK. I was wrong.

      Previous change documented in https://support.apple.com/HT210176 (max lifetime: 825) seems to apply to all leaf certificates.

      Both Safari and Chrome in macOS 11.4 won’t accept the 3-year certificate signed by internal CA as secure. However they seem to accept the 2-year certificate.

  1. No trackbacks yet.

Leave a comment