In November 2021, we posted that Apple set the validity period of S/MIME certificates to 825 days. On February 1, 2022, Apple released a policy update that changes the S/MIME certificate validity period to 1185 days. This is just short of 39 months and allows certification authorities (CAs) to continue to issue 3-year certificates.
Apple likely changed their policy based on feedback they received from CAs that are part of the CA/Browser Forum S/MIME Working Group and the PKI Consortium. Many enterprises and governments generate the keys for S/MIME certificates on smart cards. Currently, smart card S/MIME certificates are issued for 3 to 5 years and a reduction to 825 days, or 27 months, would make smart card key generation more costly. This truncated validity period would lead to two possible unfavorable scenarios:
- Organizations issuing keys within the software, leading to weaker security, or
- Organizations issuing private trust certificates, leading to the loss of relying parties’ trust
Entrust will support our certificate subscribers by continuing to issue S/MIME certificate for 3 years. Subscribers should note that Gmail only supports the maximum of 27-month validity S/MIME certificates, so a 2-year certificate may still be the best option for your business.
