About upcoming limits on trusted certificates

In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates.

What's changing

TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.

This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Additionally, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change.

Connections to TLS servers violating these new requirements will fail. This might cause network and app failures and prevent websites from loading.

Notes

  • Validity period is defined in line with RFC 5280, Section 4.1.2.5, as "the period of time from notBefore through notAfter, inclusive."

  • 398 days is measured with a day being equal to 86,400 seconds. Any time greater than this indicates an additional day of validity.

  • We recommend that certificates be issued with a maximum validity of 397 days.

  • This change will not affect certificates issued from user-added or administrator-added Root CAs.

Published Date: