Three-year certificates will no longer be available as of March 28, 2022.
2022 will see another round of changes to the maximum validity of publicly-trusted certificates. Whereas recently the internet saw TLS certificates truncated to just 398 days, now the same logic and changes are being applied to email security certificates.
Email Security certificates, perhaps better known as S/MIME certificates (Secure/Multipurpose Internet Mail Extension certificates), are used to authenticate the sender of an email, and may also be used to encrypt the email’s contents. They are a critical tool in combatting email-based attacks, specifically spearphishing and impersonation attempts. With over 90% of cyber attacks originating via email and the entire world still adjusting to hybrid work arrangements, there’s been somewhat of an S/MIME certificate renaissance over the past couple of years.
However, because email security certificates leverage the public web trust, they are subject to oversight by the internet’s root certificate programs.
In 2021, Apple, via its Root certificate program, announced its intentions to deprecate three-year validity for email security certificates. Maximum validity is now capped at two years starting in the beginning of April (4/1/2022). To accommodate this change, GlobalSign will no longer issue 3-year Secure Email and PersonalSign certificates as of March 28, 2022.
We realize you may have some questions, so in the interest of keeping our customers informed about this upcoming change, we’ve summarized what you need to know below:
There will be no impact to any Secure Email or PersonalSign certificate issued prior to April 1, 2022.
So, for instance, if you issued a three-year PersonalSign certificate on March 25th, it would remain valid even after the enforcement date goes into effect. Only three-year certificates with effective dates after April 1, 2022, are at risk of being distrusted. As stated above, GlobalSign will cease issuing three-year certificates on March 28th out of an abundance of caution.
You can still order one- and two-year Secure Email and PersonalSign certificates and packs, but again after March 28th, the option for three years will be eliminated.
So, what about re-issuing a three-year certificate after the change goes into effect?
Great question. Unlike a renewal, a re-issue typically keeps the same end of validity date as the original certificate. This obviously presents a challenge for a small subset of customers. Don’t worry, you will still retain the entire length of the certificate you originally purchased. In the event a three-year certificate purchased before April 1, 2022, needs to be re-issued after that date, the expiration date will be reduced to two years, and when the certificate is within 825 days of the original expiry date, you will be able to re-issue again to claim the remaining validity.
Finally, the question: Why?
And to answer that it’s important to zoom out and look at how public web trust functions. Root certificate programs effectively function as the gatekeepers to public trust. Certificate Authorities like GlobalSign must abide rigorous standards and expectations to maintain trusted status, and with it the ability to issue publicly-trusted certificates like SSL/TLS and S/MIME. The root programs’ primary focus is the safety of regular internet users.
As such, through the CA/Browser Forum and sometimes unilaterally, the root programs (run by the major web browsers) enact changes to publicly trusted certificates in the interest of making net improvements to web security. Currently, consensus around validity says the longer validation information is used, the less reliable it becomes. Thus far we’ve seen the majority of the efforts toward reducing max validity periods on the SSL/TLS side of things. This is the first reduction to S/MIME certificates. But the logic behind the reductions remains the same.
Specifically in the world of business email, employees come and go; turnover happens regularly at every level. And there is risk in having long-validity S/MIME certificates that can sometimes outlive the employees, or even companies, they were issued for. By reducing lifespans, some of the risk there is diminished as well. Granted, it doesn’t completely eliminate that risk, but it’s a good step in the right direction.
And whereas there was once a legitimate burden associated with provisioning S/MIME certificates for an entire organization – something that would have made these changes seem unfathomable before – those historical obstacles have been overcome in recent years with solutions like GlobalSign’s AEG, which automates all the tedium away and makes deployment a cinch.
If you have any questions about how these changes may impact your organization, please feel free to contact our Support Team and we’ll be happy to discuss them with you further.