07 Apr 2017
SSL/TLS Certificate Validity Is Now Capped at a Maximum of Two Years
The CA/Browser Forum, an industry body made up of Certificate Authorities (CAs), web browsers and operating systems, recently passed ballot 193 to reduce the maximum validity period for SSL/TLS Certificates to two years (825 days, to be specific). Prior to this, the maximum validity was three years (39 months) for Domain Validated (DV) and Organization Validated (OV) Certificates; Extended Validation (EV) Certificates have always been capped at two years (27 months).
The change goes into effect March 1, 2018 and affects all CAs and all types of SSL/TLS Certificates. Read on for more background on the new rule, how it affects end users and what GlobalSign is doing in response.
Why Reduce SSL Validity Periods?
The CA/Browser Forum is responsible for setting and maintaining best practices and requirements for CAs and the certificates they issue. Longer certificate validity periods can delay widespread compliance with new guidelines since changes wouldn’t go fully into effect until all existing (issued before the update) certificates expired.
Decreasing the maximum lifetime of certificates from three years to two years helps reduce the presence of older, outdated and possibly vulnerable certificates that were issued before new guidelines were put in place.
For example, back when SHA-1 deprecation was first announced, the maximum validity period was 5 years (for DV and OV). This lead to challenges in the migration to SHA-256 because there was this gray area of long-life certificates that had been issued with SHA-1 and could potentially remain in use for years with an outdated algorithm. Shorter validity periods will shrink these gray areas after future guidelines are released and decrease the amount of time it takes for all active certificates to comply with a specified policy.
How Does This Affect System and Web Administrators?
For starters, the new rule only applies to certificates issued after March 1st, 2018. This change does not affect current certificates, so don’t panic thinking you need to replace any existing certificates that were issued with a three-year validity period. That said, if you currently use three-year certificates and have your administration based on a three-year renewal cycle, you should start thinking ahead to how you will adjust to more frequent renewals.
This is an excellent reminder about the role certificate management and inventory tools can play in simplifying administration. Most CAs offer these types of services, which help centralize certificate activity so you can monitor where you have certificates and when they need to be renewed.
GlobalSign's Response and Timeline
GlobalSign is taking a proactive approach to the new rule and starting April 20, 2017 we will no longer issue three-year certificates. Even though the regulation doesn’t go into effect until March 2018, we want to limit the impact on our customers and have them prepared in advance.
One of the reasons for this is to prevent truncated validity periods when users reissue certificates after the March 2018 effective date. For example, if we issued a three-year certificate in January 2018 and then that customer needed to reissue the certificate a few months later in April 2018, we would not be able to issue with the full remaining validity (since it surpasses the 27 month maximum). By limiting certificate issuance to two-year validity in advance, we can help prevent this scenario.
We will be working with customers individually should a need arise for a three-year certificate in the interim, and we are confident that advanced preparation, communications and our fantastic global support teams will help ease the transition for everyone.
Have questions about the two-year validity maximum or SSL/TLS best practices in general? Let us know in the comments or contact us directly. We’re happy to help!
Share this Post