In November 2021, we posted that Apple set the validity period of S/MIME certificates to 825 days. On February 1, 2022, Apple released a policy update that changes the S/MIME certificate validity period to 1185 days. This is just short of 39 months and allows certification authorities (CAs) to continue to issue 3-year certificates.

Apple likely changed their policy based on feedback they received from CAs that are part of the CA/Browser Forum S/MIME Working Group and the PKI Consortium. Many enterprises and governments generate the keys for S/MIME certificates on smart cards. Currently, smart card S/MIME certificates are issued for 3 to 5 years and a reduction to 825 days, or 27 months, would make smart card key generation more costly. This truncated validity period would lead to two possible unfavorable scenarios:

  1. Organizations issuing keys within the software, leading to weaker security, or
  2. Organizations issuing private trust certificates, leading to the loss of relying parties’ trust

Entrust will support our certificate subscribers by continuing to issue S/MIME certificate for 3 years. Subscribers should note that Gmail only supports the maximum of 27-month validity S/MIME certificates, so a 2-year certificate may still be the best option for your business.

For more information see Entrust Secure Email S/MIME certificates.