Trustzone

SSL Certificate Validity Is Now Capped at a Maximum of 2 Years

CA/Browser Forum Announcing

TRUSTZONE SSL certificate, https IT security

SSL CERTIFICATE VALIDITY IS NOW CAPPED AT A MAXIMUM OF 2 YEARS
 

The CA/Browser Forum, an industry body made up of Certificate Authorities (CAs), web browsers and operating systems, recently passed ballot 193 to reduce the maximum validity period for SSL certificates to 2 years (825 days, to be specific). Prior to this, the maximum validity was 3 years (39 months) for Domain Validated (DV) and Organization Validated (OV) certificates; Extended Validation (EV) certificates have always been capped at 2 years.

The change goes into effect March 1, 2018, but we will comply with the new set of rules by February 26th, 2018.

WHY REDUCE SSL VALIDITY PERIODS?

The CA/Browser Forum is responsible for setting and maintaining best practices and requirements for CAs and the certificates they issue. Longer certificate validity periods can delay widespread compliance with new guidelines since changes wouldn’t go fully into effect until all existing (issued before the update) certificates expired. Decreasing the maximum lifetime of certificates from 3 years to 2 years, helps reduce the presence of older, outdated and possibly vulnerable certificates, that were issued before new guidelines were put in place.

For example, back when SHA1 deprecation was first announced, the maximum validity period was 5 years (for DV and OV). This lead to challenges in the migration to SHA256 because there was this gray area of long-life certificates that had been issued with SHA1 and could potentially remain in use for years with an outdated algorithm. Shorter validity periods will shrink these gray areas after future guidelines are released and decrease the amount of time it takes for all active certificates to comply with a specified policy.

HOW DOES THIS AFFECT SYSTEM AND WEB ADMINISTRATORS?

For starters, the new rule only applies to certificates issued after March 1st, 2018. This change does not affect current certificates, so don’t panic thinking you need to replace any existing certificates that were issued with a 3-year validity period. That said, if you currently use 3-year certificates and have your administration based on a 3-year renewal cycle, you should start thinking ahead on how to adjust to more frequent renewals.

This is an excellent reminder about the role certificate management and inventory tools can play in simplifying the administration of your SSL certificates.

If you have questions about the 2-year validity maximum or SSL/TLS best practices in general? Just contact us. We’re happy to help. 

Please call me

Let’s have a chat about which certificate or solution your company needs

SSL Labs

Put your security
to the test

Test now

Your security means the world

This is your toolbox.
All tools help you to improve your IT security

TOOL MENU 

Managed SSL 

Get a complete overview of your SSL certificates with MSSL

discover MSSL

TRUSTZONE Certificate Inventory Tool

CIT 

Monitor SSL certificates across your networks

read more

FAQ
Validation &
Verification

When ordering a certificate from TRUSTZONE

Read more

TRUSTZONE SSL certificate, https, IT security