Last week, at the CA/ Browser forum in Slovakia, Apple announced: To improve security, starting September 1, 2020, any new website certificate with an expiration date of more than 398 days will not be trusted by Safari, but will be rejected. In addition, older certificates issued before the deadline (September 1, 2020) are not affected by this rule.
The release of this policy means that websites that use two-year SSL/TLS certificates after the deadline will raise privacy errors in Apple’s browser, and all certificates will need to be renewed annually to keep Safari’s trust. (Note: All SSL/TLS certificates issued before 1 September 2020 are not affected by this policy)
Apple issued the policy with the goal of improving site security by ensuring developers use certificates with the latest encryption standards, and reducing the number of neglected older certificates that can be stolen and used for phishing and drive malware attacks. If researchers or malefactors can crack the password in the SSL/ TLS standard, short-term certificates will ensure that people migrate to more secure certificates in about a year.
Browser giants are gradually shortening the validity of certificates
In August 2019, Google proposed to shorten the validity period of HTTPS certificates from 27 months to 13 months at the CA/Browser Forum. The CA/Browser Forum voted down the proposal, and the maximum validity period of SSL certificates remains 2 years.
It is understood that Apple, Google and other members of CA/Browser have been considering shortening the validity of certificates for some time, hoping that by rejecting older security certificates, they would force webmasters to update their certificates with the latest encryption techniques, rather than using older, less secure certificates, This will also help reduce the impact of potentially compromised certificates that the administrator is unaware of.
As of January 2020, Safari’s market share was 17.7%, according to the latest data from W3Counter. Google Chrome ranked second with 58.2 percent.
Certificate management will face great challenges
To shorten the period of validity of the certificate, by increasing the frequency of the certificate to replace, leading to a web site of the owner and the business use of encryption certificate management cycle becomes more complex, for many companies rely on digital certificates to protect system, will bring the huge cost, greatly increased the burden of enterprise operational management, SSL/TLS certificates expire the consequences will be unimaginable!
Adverse effects of SSL/TLS certificate expiration:
▽ SEO ranking that damages a company s website;
△ High security threat: data and sensitive information stolen, tampered with, man-in-the-middle attack;
△ The credibility of the website and brand image bring great negative impact;
△ Unexpected business interruption caused by expiration of certificate, unable to operate normally and bear capital loss;
△ Audit failure or violation caused by improper certificate/key management;
Figure: Safari web certificate expiration style
Today, certificate management is becoming a major burden for enterprises. The bigger the enterprise, the more serious the management problem.
How to effectively manage certificates?
Don’t know when the certificate expires? Don’t know how many certificates and keys? How to avoid the pain point of certificate management? After apple’s Safari certificate validity period policy takes effect, what should enterprises do?
Asia Trustworthiness Advice: You can rely on automated management to assist with certificate deployment, updating and lifecycle management through a quality certificate management platform to reduce personnel costs and the risk of errors as certificate replacement frequency increases.
Certificate Intelligent management software (CertManager) came into being
CertManager is an industry-leading intelligent certificate life-cycle management system that integrates automatic certificate application, deployment, detection, discovery, monitoring, management, alarm, update, and certificate brand switch. According to the TLS server certificate management industry standard draft design developed by the National Institute of Standards and Technology (NIST), through the enterprise information pre-review mechanism, as well as CertManager outstanding deployment environment adaptation ability, provides OV/EV certificate one-click application, automatic deployment, certificate brand quick switch and so on.
Provides one-stop certificate management closed-loop service to help enterprise users manage SSL certificates and private keys for security compliance. It can effectively avoid the consequences of capital loss and brand damage caused by certificate expiration. Deploy and update certificates of unified management gateways, load devices, cloud services, and WebServers, and connect OpenAPI to o&M systems. At the same time, help enterprises to quickly launch services, reduce labor costs, avoid production accidents caused by human error.
✔ Certificates are automatically issued
Enterprise information pre-check mechanism to realize automatic issuance and quick acquisition of OV/EV certificates
Stocking certificate Deployment
Deploy and update certificates for unified management gateway devices, cloud services, and WEB SERVERS, and provide OPENAPI for interconnection with o&M systems
Stocking Certificate Detection
CAA statistics report, DN/SAN compliance report, weak key statistics
✔ Private key protection
White box algorithm hardening, Keyless, security gateway, and short certificate are available to protect the security of the private key
Configure alarm monitoring
Continuously monitor certificate status and alarm exceptions
Stocking brand Switch
When the CA trust is damaged, you can quickly switch the certificate brand
Configure user management
Role-based access control, administrators, operators, and auditors
Stocking certificate
You can scan the enterprise network segment for deployed certificates and manage the discovered certificates
To help enterprise users cope with the certificate validity policy of Apple Safari browser, Asia Integrity has opened 7*24 hours online consultation service to answer your questions and provide efficient and secure solutions.