Upcoming Baseline Requirement Changes

39 Month Maximum Certificate Validity: April 2015

Requirement: Beginning April 01, 2015, certificates will be limited to a maximum validity of 39 months.

Important Upcoming Dates:

  • 30 March 2015: GlobalSign removes options for 4 or 5-year certificates and limits certificate validity period to 39 months to comply with CAB Forum BRs.

  • 30 March 2015: Reissuing of certificates will be limited to a maximum of 39 months. This also applies to certificates issued when adding or removing SANs.

Please note:

All customers who purchase 4 or 5 year certificates today will be impacted when they attempt to reissue their certificate. If a customer reissues a certificate after April 2015 that contains a validity period longer than 39 months, the validity period will be truncated because certificates can only be reissued for the first 39 months of life. GlobalSign's ordering system currently warns users of these upcoming changes if they choose to purchase a 4 or 5 year certificate.

Recommendations:

GlobalSign strongly recommends not issuing 4 or 5-year certificates. If you are a GlobalSign partner, we encourage you to sell 1 to 3 year certificates and discourage the use of 4 and 5 year certificates to ensure customer satisfaction and avoid customers receiving certificates with a shorter validity period than the prior certificate.

39 Month Maximum Re-use of Vetting Information: April 2015

Requirement: Beginning April 01, 2015 certificate data used to verify the certificate information is only valid for up to 39 months (this applies to issuance and reissuance). When issuing a certificate, the data used for issuance (enterprise vetting and domain control) must be less than 39 months old. If the data is older than 39 months, then the data must be revalidated prior to issuing a new certificate.

Important Upcoming Dates:

30 March 2015: GlobalSign limits reissuance of certificates to the first 39 months to comply with BRs

Please note:

All customers who purchase 4 or 5 year certificates today will be impacted when they attempt to reissue their certificate. If a customer reissues a certificate after April 2015 that contains a validity period longer than 39 months, the validity period will be truncated because certificates can only be reissued for the first 39 months of life. GlobalSign's ordering system currently warns users of these upcoming changes if they choose to purchase a 4 or 5 year certificate.

Recommendations:

GlobalSign strongly recommends not issuing 4 or 5-year certificates. If you are a GlobalSign partner, we encourage you to sell 1 to 3 year certificates and discourage the use of 4 and 5 year certificates to ensure customer satisfaction and avoid customers receiving certificates with a shorter validity period than the prior certificate.

Internal Server Name Deprecation: Nov 2015

Requirement: On November 22nd, 2011, the CA/Browsers Forum outlined the following Baseline Requirement: "The CA shall not issue a
certificate with an expiration date later than November 1st, 2015 with a SAN or Subject Common Name field containing a Reserved IP address or Internal Server Name. Effective October 1st, 2016, CAs are required to revoke all unexpired certificates whose SAN or Subject Common Name field contains a Reserved IP Address or Internal Sever Name.

Important Upcoming Dates:

26 October 2015: GlobalSign stops issuing certificates with internal Names in the CN or SAN

01 October 2016: CAs shall revoke all unexpired Certificates whose subjectAlternativeName extension of Subject common Name field contains a Reserved IP Address or Internal Name

Recommendations:

For further details on this Baseline Requirement, please visit:https://support.globalsign.com/customer/portal/articles/1467819

Deprecation of SHA-1: January 2017

Requirement: Beginning January 1st 2017 Microsoft will stop trusting SHA-1 Certificates issued under public roots. This applies to all SSL, Code Signing, Client Certificates and CA Certificates (except Root CA certificates) issued under publically trusted roots. While the CA/B Forum is yet to specify that SHA-256 encryption must be used in their Baseline Requirements, GlobalSign has decided to support the industry decision lead by Microsoft.

The CA/Browser Forum is actively discussing new Baseline Requirements which align with the Microsoft and Google policies which will prohibit SHA-1 SSL certificates from being valid past 31 December 2016. The planned effective date for this requirement is 16 January 2015. GlobalSign is continuing to participate in industry forms and will report on changes as they are announced so we can keep our customers up to date on any milestone changes.

Important Upcoming Dates:

  • 17 November 2014: The maximum validity of GlobalSign SHA-1 SSL certificates will be changed from 3 years to 1 year.

  • 19 December 2015*: GlobalSign will no longer offer Certificates with the SHA-1 hashing algorithm

  • January 2017*: GlobalSign will no longer re-issue SHA-1 Certificates.

  • January 2017*: Microsoft will cease trusting SSL certificates using SHA-1

  • *If Microsoft should change its date of January 2017, GlobalSign may review its associated dates.

Google and Mozilla Upcoming Changes

Google's Timeline

Google's Chrome/Chromium browser will behave differently depending on the version and the expiration date of the SSL certificate. Note that SHA-1 SSL certificates that are valid past 1/1/2016 will show as untrusted in Chromium 41. Based on past release cycles, we expect Chrome 41 to be available 10 February 2015.

For further information read GlobalSign's blog: Google to display warnings on sites that use SHA-1 Certificates

Mozilla's Timeline

Mozilla's timeline is also based primarily around certificate expiration dates and is more in line with Microsoft's timeline. Note that after January 01, 2017, Firefox will not trust any SHA-1 certificate.

  • Certificate Expires After January 01, 2017: Warning displayed in Firefox

  • Certificate Issued After January 1,2016: "Untrusted Connection" message to be displayed in Firefox

For further information read GlobalSign's blog: Mozilla Also Adding Security Warnings for SHA-1

Please Note:

Users are urged to obtain SHA-256 Certificates and verify there are no issues with their web clients or legacy systems. In the event a SHA-256 Certificate does not support your needs, you may reissue to a SHA-1 Certificate.

Recommendations:

For more information on the migration to SHA-256 and to check compatibility with your servers and applications, please see {+}https://support.globalsign.com/customer/portal/articles/1447169+

Certificate Transparency (RFC 6962)

Requirement: Beginning February 1st 2015, Google Chrome will not display the Green Bar associated with EV SSL Certificates if the certificate is not Certificate Transparency (CT) compliant.

Certificate Transparency (CT) is being promoted by Google to help enterprise users detect possible mis-issuance of certificates. The requirement involves posting EV SSL Certificates to publicly accessible Qualified CT Logs. These logs can be monitored by enterprises and they can track issuance of certificates to their domains and then take corrective action if mis-issuance has been detected. If EV SSL Certificates are not CT compliant, then Chrome will not display the distinctive green bar starting in February 2015.

GlobalSign will be posting all publicly visible EV SSL Certificates to qualified CT logs in 2014 in order to have them added to the Google CT whitelist. Those certificates not visible on the internet will not be posted unless requested by a customer. In the event that an EV Certificates is not whitelisted, it can be reissued and posted at that time. Starting in January 2015, EV certificates will be published to the CT logs during issuance by default; however, users will be able to opt out of this if they do not want CT compliant certificates (certificates used internally which may disclose internally accessible server names which they consider sensitive). GlobalSign ordering pages and APIs will be updated to allow users to opt-out of CT when ordering EV Certificates.

Important Upcoming Dates:

  • 01 December 2014: GlobalSign will post all publicly accessible EV SSL Certificates to one or more Qualified CT logs to be whitelisted.

  • 15 December 2014: GlobalSign will update the ordering pages and APIs to allow users to opt-out of CT. The default will be to issue EV SSL Certificates that are CT compliant.

Recommendations: Please continue to watch for updates regarding Certificate Transparency.