Maximum 392 Days Lifespan of SSL/TLS Certificates

Starting September 2020, major browsers will no longer accept newly issued certificates with a lifespan greater than 398 days. This is a major step towards a more secure web.

In detail, it allows issuers to phase out certificates more easily when e.g. new encryption vulnerabilities are discovered as well as limiting the exposure of a possibly compromised private key. In short, anything that could be a threat for internet security overall can only exist for a shorter amount of time.

With the current limit of 825 days pushing down to 392 days, it also causes some overhead for website administrators. Existing certificates will not be affected by the change that is going into effect September, 1st 2020. However, there are still major certificate issuers that have not adapted their certificate lifetime.

The growth of Let’s Encrypt has been scintillating over the past couple of years with more than 130M active certificates. By default, their certificate lifetime is 90 days. They’ve been going this route from the beginning on and it has led to a number of changes in the industry. Primarily, automated certificate renewals and deployments have become a standard and nothing unusual.