SSL CERTIFICATE VALIDITY IS NOW CAPPED AT A MAXIMUM OF 2 YEARS
The CA/Browser Forum, an industry body made up of Certificate Authorities (CAs), web browsers and operating systems, recently passed ballot 193 to reduce the maximum validity period for SSL certificates to 2 years (825 days, to be specific). Prior to this, the maximum validity was 3 years (39 months) for Domain Validated (DV) and Organization Validated (OV) certificates; Extended Validation (EV) certificates have always been capped at 2 years.
The change goes into effect March 1, 2018, but we will comply with the new set of rules by February 26th, 2018.
WHY REDUCE SSL VALIDITY PERIODS?
The CA/Browser Forum is responsible for setting and maintaining best practices and requirements for CAs and the certificates they issue. Longer certificate validity periods can delay widespread compliance with new guidelines since changes wouldn’t go fully into effect until all existing (issued before the update) certificates expired. Decreasing the maximum lifetime of certificates from 3 years to 2 years, helps reduce the presence of older, outdated and possibly vulnerable certificates, that were issued before new guidelines were put in place.
For example, back when SHA1 deprecation was first announced, the maximum validity period was 5 years (for DV and OV). This lead to challenges in the migration to SHA256 because there was this gray area of long-life certificates that had been issued with SHA1 and could potentially remain in use for years with an outdated algorithm. Shorter validity periods will shrink these gray areas after future guidelines are released and decrease the amount of time it takes for all active certificates to comply with a specified policy.
HOW DOES THIS AFFECT SYSTEM AND WEB ADMINISTRATORS?
For starters, the new rule only applies to certificates issued after March 1st, 2018. This change does not affect current certificates, so don’t panic thinking you need to replace any existing certificates that were issued with a 3-year validity period. That said, if you currently use 3-year certificates and have your administration based on a 3-year renewal cycle, you should start thinking ahead on how to adjust to more frequent renewals.
If you have questions about the 2-year validity maximum or SSL/TLS best practices in general? Just contact us. We’re happy to help.
FAQ DEPRECATION OF 3-YEAR SSL CERTIFICATES
Why will TRUSTZONE stop issuing 3-year certificates?
This is an industry-wide directive which affects all certificate authorities. In accordance with the CA/Browser Forum Baseline Requirements, effective March 1st 2018, Certificate Authorities (CAs) will no longer be able to issue SSL certificates with a validity period longer than 27 months.
When will the 2-year maximum term limitation take effect?
March 1st, 2018, but we will comply with the new set of rules by February 26th, 2018.
Is TRUSTZONE the only certificate authority to stop issuing 3-year certificates?
No, the requirement applies to all CAs. If a certificate is issued after March 1st, 2018 with a validity period of greater than 27 months, then the issuing CA will be in breach of the requirements.
What if I already paid for a 3-year term? Does that purchase get honored?
Yes. If you purchased the certificate before March 1st 2018, then nothing will change. Your 3-year certificate will remain valid for its full lifetime. If you decide to replace this certificate after March 1st, 2018, or it comes up for renewal, then the new laws come into play.
Does the 2-year maximum term limitation apply to all certificate types (single domain, Wildcard, Extended Validation and SAN/multi-domain)?
Yes, it applies to all website certificate types. EV certificates have a maximum duration of 2 years anyway, so they are already compliant.
Does the limit apply to Code Signing certificates?
No, the limit does not apply to code signing or EV Code Signing certificates, which will retain a 3-year maximum validity period.