UPCOMING BASELINE REQUIREMENT CHANGES

We’d like to make you aware of upcoming industry changes and Baseline Requirement changes outlined by the CA/Browser Forum, which could impact how you currently use, manage or sell digital certificates today. It’s important that you read this message and its contents carefully.

 

There are a number of upcoming changes which will require TRUSTZONE to enforce new policies affecting how we issue and vet digital certificates.

INTERNAL SERVER NAMES: OCTOBER 2014

Requirement:
From October 2014 TRUSTZONE will only allow certificate requests containing Internal Server Name, to be issued or re-issued with the end date October 31th, 2015.

Please note:
Your previously issued certificates containing Internal Server Names will not be affected. You will in the future, however, not be able to re-issue certificates containing Internal Server Names.

VALIDITY OF SHA-1: NOVEMBER 2014

Requirement:
You can no longer issue SHA-1 certificates with validity surpassing 1 years.

Please note:
Your previously issued SHA-1 certificates will not be affected. You will in the future, however, not be able to re-issue SHA-1 certificates surpassing a validity period of 2 years. Changes to TRUSTZONE Systems:

  1. Ordering pages will be updated to limit the max validity SHA-1 SSL Certificates to one year.
  2. APIs will reject any SHA-1 orders that are for more than one year.
  3. Re-issuance of SHA-1 SSL Certificates will result in a max of one year validity, regardless of the original purchase date or how many months are remaining.
  4. Re-issuance of SHA-2 Certificate to a SHA-1 Certificate will result in a max validity of one year.
EV SSL CERTIFICATES TO LOGS: DECEMBER 2014

Requirement:
TRUSTZONE will be posting all publically visible EV SSL Certificates to qualified CT logs in 2014 in order to have them added to the Google CT whitelist. Those certificates not visible on the internet will not be posted unless requested by a customer. In the event that an EV Certificates is not whitelisted, it can be reissued and posted at that time. Starting in January 2015, EV certificates will be published to the CT logs during issuance by default; however, users will be able to opt out of this if they do not want CT compliant certificates (certificates used internally which may disclose internally accessible server names which they consider sensitive). TRUSTZONE ordering pages and APIs will be updated to allow users to opt-out of CT when ordering EV Certificates.

CERTIFICATE TRANSPARENCY (RFC 6962): FEBRUARY 2015

Requirement:
TRUSTZONE will be posting all publically visible EV SSL Certificates to qualified CT logs in 2014 in order to have them added to the Google CT whitelist. Those certificates not visible on the internet will not be posted unless requested by a customer. In the event that an EV Certificates is not whitelisted, it can be reissued and posted at that time. Starting in January 2015, EV certificates will be published to the CT logs during issuance by default; however, users will be able to opt out of this if they do not want CT compliant certificates (certificates used internally which may disclose internally accessible server names which they consider sensitive). TRUSTZONE ordering pages and APIs will be updated to allow users to opt-out of CT when ordering EV Certificates.

Important Upcoming Dates:

  1. December 2014: TRUSTZONE will post all publically accessible EV SSL Certificates to one or more Qualified CT logs to be whitelisted.
  2. December 2014: TRUSTZONE will update the ordering pages and APIs to allow users to opt-out of CT. The default will be to issue EV SSL Certificates that are CT compliant.

Recommendations:
Please continue to watch for updates regarding Certificate Transparency.

39 MONTH MAXIMUM CERTIFICATE VALIDITY: APRIL 2015

Requirement:
Beginning April 01, 2015, certificates will be limited to a maximum validity of 39 months.

Important Upcoming Dates:

  1. March 29, 2015: TRUSTZONE will no longer offer 4 or 5-year certificates. Reissuing of certificates will be limited to a maximum of 39 months. This also applies to certificates issued when adding or removing SANs.

Note:
All customers who purchase 4 or 5 year certificates today will be impacted when they attempt to reissue their certificate. If a customer reissues a certificate after April 2015 that contains a validity period longer than 39 months, the validity period will be truncated because certificates can only be reissued for the first 39 months of life. TRUSTZONE’s ordering system currently warns users of these upcoming changes if they choose to purchase a 4 or 5 year certificate.

Recommendations:
TRUSTZONE strongly recommends you to make a backup of your 4 or 5 year certificate, since you from April 2015 only will be able to re-issue your certificate to a validity of 39 months regardless of the original expiry date. You will find guides to take back up of your certificate here.

39 MONTH MAXIMUM RE-USE OF VETTING INFORMATION: APRIL 2015

Requirement:
Beginning April 01, 2015 certificate data used to verify the certificate information is only valid for up to 39 months (this applies to issuance and reissuance). When issuing a certificate, the data used for issuance (enterprise vetting and domain control) must be less than 39 months old. If the data is older than 39 months, then the data must be revalidated prior to issuing a new certificate.

Important Upcoming Dates:

  1. March 29, 2015: TRUSTZONE limits reissuance to the first 39 months of certificate validity.

Note:
All customers who purchase 4 or 5 year certificates today will be impacted when they attempt to reissue their certificate. If a customer reissues a certificate after April 2015 that contains a validity period longer than 39 months, the validity period will be truncated because certificates can only be reissued for the first 39 months of life. TRUSTZONE’s ordering system currently warns users of these upcoming changes if they choose to purchase a 4 or 5 year certificate.

Recommendations:
TRUSTZONE strongly recommends not issuing 4 or 5-year certificates. If you are a TRUSTZONE partner, we encourage you to sell 1 to 3 year certificates and discourage the use of 4 and 5 year certificates to ensure customer satisfaction and avoid customers receiving certificates with a shorter validity period than the prior certificate.

INTERNAL SERVER NAME DEPRECATION: NOV 2015

Requirement:
On November 22nd, 2011, the CA/Browsers Forum outlined the following Baseline Requirement: “The CA shall not issue a certificate with an expiration date later than November 1st, 2015 with a SAN or Subject Common Name field containing a Reserved IP address or Internal Server Name. Effective October 1st, 2016, CAs are required to revoke all unexpired certificates whose SAN or Subject Common Name field contains a Reserved IP Address or Internal Sever Name.”

Important Upcoming Dates:

  1. October 26, 2014: TRUSTZONE will not permit the issuance of certificates with Internal Server Names
  2. October 31, 2015: TRUSTZONE will not reissue any certificates with Internal Server Names.
ROVOKING CERTIFICATES CONTAINING INTERNAL SERVER NAMES: OCTOBER 2016

Requirement:
All Certificate administrators (CAs) are required to revoke all certificates containing Internal Server Names.

Please note: If you are a CA you are required to revoke all certificates containing Internal Server Names. TRUSTZONE will also revoke issued certificates containing Internal Server Names.

NO LONGER SHA-1 CERTIFICATES: JANUARY 2016

Requirement:
Trustzone will no longer offer SHA-1 certificates

DEPRECATION OF SHA-1: JANUARY 2017

Requirement:
Beginning January 1st 2017 Microsoft will stop trusting SHA-1 Certificates issued under public roots. This applies to all SSL, Code Signing, Client Certificates and CA Certificates (except Root CA certificates) issued under publically trusted roots. While the CA/B Forum is yet to specify that SHA-256 encryption must be used in their Baseline Requirements, TRUSTZONE has decided to support the industry decision lead by Microsoft.

Important Upcoming Dates:

  1. January 2015: The maximum validity of TRUSTZONE SHA-1 SSL certificates will be changed from 3 years to 2 years.
  2. January 2016*: TRUSTZONE will no longer offer Certificates with the SHA-1 hashing algorithm
  3. January 2017*: TRUSTZONE will no longer re-issue SHA-1 Certificates.
  4. January 2017*: Microsoft will cease trusting SSL certificates using SHA-1

*If Microsoft should change its date of January 2017, TRUSTZONE may review its associated dates.

Please note:
Users are urged to obtain SHA-256 Certificates and verify there are no issues with their web clients or legacy systems. In the event a SHA-256 Certificate does not support your needs, you may reissue to a SHA-1 Certificate.