System admins irate at Apple's plan for shorter cert lifespans

Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates are used to make sure that a website user's connection to a website is secure in a browser like Safari. As a form of identification for the site, it aids in a cryptographic system that protects the user's data when communicating with the site.

As it stands in October 2024, certificates have a lengthy lifespan of about 13 months. However, in a draft ballot provided by Apple to the Certification Authority Browser Forum (CA/B), it wants to shrink down the amount of time certificates will be valid.

The proposal would decrease the maximum lifespan to 200 days after September 2025, then to 100 days one year later, reports The Register. In April 2027, that period would shrink down to just 45 days.

The lifespan of the certificates has been decreasing over time anyway, going down from about eight years before 2011.

The move makes sense for security, since the shorter lifespans means that online criminals will have less time to exploit any vulnerabilities and older website certificates.

Sysadmins fight back

In responding to the proposal, administrators took to Reddit's r/sysadmin and complained about the potential changes. The comments touch upon the issues of a shorter lifespan, chiefly involving more regular updates to certificates being extra work.

With certificates being a difficult task for many, the prospect of changing them more often can be a headache. Add in the reliance on other vendors who may not be as punctual as their clients, and it can be a recipe for disaster or downtime.

While some may argue that automated updates could be the way forward, others have said that their vendors simply haven't included ways to automate the changes. Some network appliances that require SSL certs may not even be updated to be automated at all.

There is the small hope for sysadmins that the draft ballot will result in a vote against the measure by CA/B Forum members. However, as one user put it, Apple and Google could "just make it policy anyway," forcing more rapid updates.

Apple isn't the only one keen to cut the long-lasting certificates down to size. Google has previously indicated it wants to reduce the lifetime of certificates affecting browsing in Chrome.