System admins irate at Apple's plan for shorter cert lifespans
Apple has proposed for a shortening of validity for security certificates used by websites from 398 days down to just 45 days, a move that system administrators have objected to publicly.
SSL/TLS helps keep website secure for users
Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates are used to make sure that a website user's connection to a website is secure in a browser like Safari. As a form of identification for the site, it aids in a cryptographic system that protects the user's data when communicating with the site.
As it stands in October 2024, certificates have a lengthy lifespan of about 13 months. However, in a draft ballot provided by Apple to the Certification Authority Browser Forum (CA/B), it wants to shrink down the amount of time certificates will be valid.
The proposal would decrease the maximum lifespan to 200 days after September 2025, then to 100 days one year later, reports The Register. In April 2027, that period would shrink down to just 45 days.
The lifespan of the certificates has been decreasing over time anyway, going down from about eight years before 2011.
The move makes sense for security, since the shorter lifespans means that online criminals will have less time to exploit any vulnerabilities and older website certificates.
Sysadmins fight back
In responding to the proposal, administrators took to Reddit's r/sysadmin and complained about the potential changes. The comments touch upon the issues of a shorter lifespan, chiefly involving more regular updates to certificates being extra work.
With certificates being a difficult task for many, the prospect of changing them more often can be a headache. Add in the reliance on other vendors who may not be as punctual as their clients, and it can be a recipe for disaster or downtime.
While some may argue that automated updates could be the way forward, others have said that their vendors simply haven't included ways to automate the changes. Some network appliances that require SSL certs may not even be updated to be automated at all.
There is the small hope for sysadmins that the draft ballot will result in a vote against the measure by CA/B Forum members. However, as one user put it, Apple and Google could "just make it policy anyway," forcing more rapid updates.
Apple isn't the only one keen to cut the long-lasting certificates down to size. Google has previously indicated it wants to reduce the lifetime of certificates affecting browsing in Chrome.
Read on AppleInsider
Comments
Anyone using a modern public cloud solution (CloudFlare, AWS, etc.) to operate their web offering will not have any problems with increasing the cadence of TLS renewal and the overhead involved, because the cloud provider handles it automatically behind the scenes. So anyone complaining that it is too much work to renew more frequently has chosen not to use the available public cloud automations for this and has also chosen not to invest in an alternative or homegrown automated certificate renewal solution. Instead, they are manually renewing and loading certificates - in an age where good systems administrators do everything possible to avoid manual deployments and the potential for human error that comes with it.
On the other hand, if you need a higher level of security: Stop bitching, safety first.
So no - 12-13 months it should remain.
What changed?
Apple also is known for moving forward and not hanging onto legacy because they control the OS and the hardware and almost certainly would want to use that advantage to optimize.