SSL CERTIFICATE VALIDITY IS NOW CAPPED AT A MAXIMUM OF 2 YEARS
The CA/Browser Forum, an industry body made up of Certificate Authorities (CAs), web browsers and operating systems, recently passed ballot 193 to reduce the maximum validity period for SSL certificates to 2 years (825 days, to be specific). Prior to this, the maximum validity was 3 years (39 months) for Domain Validated (DV) and Organization Validated (OV) certificates; Extended Validation (EV) certificates have always been capped at 2 years.
The change goes into effect March 1, 2018, but we will comply with the new set of rules by February 26th, 2018.
WHY REDUCE SSL VALIDITY PERIODS?
The CA/Browser Forum is responsible for setting and maintaining best practices and requirements for CAs and the certificates they issue. Longer certificate validity periods can delay widespread compliance with new guidelines since changes wouldn’t go fully into effect until all existing (issued before the update) certificates expired. Decreasing the maximum lifetime of certificates from 3 years to 2 years, helps reduce the presence of older, outdated and possibly vulnerable certificates, that were issued before new guidelines were put in place.
For example, back when SHA1 deprecation was first announced, the maximum validity period was 5 years (for DV and OV). This lead to challenges in the migration to SHA256 because there was this gray area of long-life certificates that had been issued with SHA1 and could potentially remain in use for years with an outdated algorithm. Shorter validity periods will shrink these gray areas after future guidelines are released and decrease the amount of time it takes for all active certificates to comply with a specified policy.
HOW DOES THIS AFFECT SYSTEM AND WEB ADMINISTRATORS?
For starters, the new rule only applies to certificates issued after March 1st, 2018. This change does not affect current certificates, so don’t panic thinking you need to replace any existing certificates that were issued with a 3-year validity period. That said, if you currently use 3-year certificates and have your administration based on a 3-year renewal cycle, you should start thinking ahead on how to adjust to more frequent renewals.
If you have questions about the 2-year validity maximum or SSL/TLS best practices in general? Just contact us. We’re happy to help.