Upcoming Baseline Requirement Changes


Explanation of Key Dates:

2017

January - March 2017

End of Trust for SHA-1 SSL

During this time frame Google, Mozilla and Microsoft stop supporting SHA-1 SSL entirely. For more information view GlobalSign Blog Post: The End of SHA-1 for SSL Is Here – Are You Ready?

September 7, 2017

All CAs must support CAA checking

Certification Authority Authorization (CAA) is a control to restrict which CAs can issue certificates for a particular domain name. By configuring the DNS CAA record, Domain owners can specify which Certification Authorities are authorized to issue certificates on behalf of that domain name.

- If no CAA record is present, any CA is allowed to issue certificates for that domain name.
- If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that domain.

View GlobalSign Blog Post for more information: What Is the CA/Browser Forum and What Is Its Role in Internet Security?

August - December 2017

GlobalSign defaults all OV SSL Certificates to use CT

GlobalSign currently supports CT for OV certificates for those customers that request this. In the Fall/Winter time, GlobalSign will change all accounts to use CT by default and those customers that want to opt-out will be able to do so. At this point all GlobalSign SSL Certificates will be compliant with the Google CT policy unless a GlobalSign Account has opted out of CT.

For more information view GlobalSign Blog Post: Google Formalizes Certificate Transparency Policy for Non EV Certificates.

2018

March 2018

SSL Certificates and the re-use of Vetting Information is limited to a maximum validity of 825 days (Ballot 193)

SSL Certificates from all CAs will be limited to a maximum validity of 825 days (approximately 27 months).

April 2018

Google mandates CT for all certificates in order to be trusted in Chrome

Google requires Certificate Transparency for all newly issued, publicly trusted certificates starting in April 2018. View Google's updated announcement on CT here: Certificate Transparency in Chrome - Change to Enforcement.