Reminder: 3 Year Option for SSL Certificates ends March 1, 2018
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Reminder: 3 Year Option for SSL Certificates ends March 1, 2018

After March 1, you’ll only be able to buy two-year certificates.

Starting on March 1, 2018, you will no longer be able to purchase 3-year SSL certificates. This change is being enforced by the Certificate Authority/Browser Forum (CAB Forum), which is more or less a regulatory body made up of CAs and Browser.

If you’ll recall, you actually used to be able to get five-year certificates. And I’ll be the first to admit, that was a bad idea. Encryption is changing so much, so quickly that if you waited five years between changing certificates you would be vulnerable by the time you renewed.

So, for the sake of user safety, the browsers have been pushing for shorter certificate validity periods. We have gone into depth on the issue of why certificates expire and why shorter certificate lengths are actually a good thing.

To refresh your memory, you have to renew certificates at regularly for two reasons:

  • Keeping your security implementations up to date.
  • The CAs need to validate you again so you stay trusted.

And before we get any further, no this is not some nefarious scheme by the Certificate Authorities so they can sell you more certificates. Google and the other browsers that participate in the CAB Forum would actually prefer validity periods of no more than 90 days. So it isn’t really the CAs pushing this.

But at any rate, replacing your certificate regularly is most important from the standpoint of your security. Let’s go back to the five-year certificates we mentioned earlier. Think about what ciphers we were using five years ago. Granted, you’d likely have had to re-issue by now on account of SHA-1, but that underscores my point. SHA-1! SHA-1 is so vulnerable that Google actually manufactured a collision to demonstrate how outmoded it had become.

Every day encryption technology evolves and the idea that you could still maintain adequate levels of security five, or even three years after issuance just isn’t plausible.

The other reason for issuance is the CAs have to re-validate you. This ensures that your information is up to date and that you’re still authorized to have certificates issued for your domain. Remember, the browsers are indicating to their users that they can trust a connection with your site on the basis that you’ve been vetted by a trusted third party. Just like with your driver’s license, you occasionally have to check in with that third party just to ensure that everything is up to date.

So, starting March 1, two years is the maximum lifespan that you can get with any SSL certificate. This change doesn’t affect EV certificates, as two years (825 days) was already the longest allowable validity period, owing to the level of trust (the unique green bar indicator) that EV SSL receives.

So here’s how this works:

  • If your SSL certificate was issued before March 1, 2018, it’s still good for however long you have left.
  • All SSL Certificates issued after March 1, 2018, may only have a maximum lifespan of 825 days.
  • DCV and organization validation information for DV and OV certificates can only be used for 825 days.

That’s right, after 825 days the CA has to validate you again. And this is retroactive, too, so however old your current certificate is, it counts against the 825 days. I’ll level with you, this is likely going to increase the time involved in the validation process as CAs are going to be forced to re-validate more often.

I’ll also point out that if you purchase a three-year certificate before the deadline, you better hope you never have to re-issue it. Or else you’re going to run into headaches.

Here’s some reasons you might have to re-issue:

  • Adding a domain to a certificate
  • Removing a domain from a certificate
  • Swapping out a domain on a certificate
  • Changing organization information (name, address, phone number, etc.)
  • Duplicating a certificate

So if you’re planning on doing any of those over the next three years, just spring for the two-year certificate and try to renew it early.

Finally, there is also chatter in the CAB Forum about eliminating certain Domain Control Validation methods such as Whois lookups.

As always, we’ll keep you posted as the industry undergoes more changes.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.