Last year, Certificate Authorities and web browser vendors voted to get rid of three-year TLS/SSL certificates in the CA/B Forum, an industry body which sets standards for publicly trusted TLS certificates.
That change will now take effect on March 1, 2018. After that date, the new maximum validity period for publicly trusted SSL certificates will be 825 days—which is a 2-year certificate with some additional time to allow for the replacement process. This is an industry-wide requirement and all Certificate Authorities will be required to comply.
This will align the maximum validity for DV and OV certificates with Extended Validation (EV) certificates. EV certificates have been limited to a 2-year maximum since their introduction in 2007, so this change will have no effect on these certificates.
will stop accepting requests for three-year certificates on Tuesday, February 20, 2018. This is to ensure there is enough time to validate and issue all requests before the industry deadline.
endorsed and voted for this CA/B Forum initiative as part of our advocacy for shorter certificate lifetimes.
While shorter certificate lifetimes may seem like a hassle for administrators, this reduction will make the web PKI more agile. Right now, the internet has to be concerned about the “long tail” of certificates—which expire up to 39 months from today.
Under those constraints, any changes made to industry standards, such as validation methods, signature algorithms, or key lengths, would take more than three years to completely take effect. This was an issue with the deprecation of the SHA-1 signature algorithm and RSA 1024-bit keys. In those scenarios, end-user security couldn’t wait for the natural expiration of these certificates, leading to cutoffs that required site operators to replace certificates mid-lifecycle.
It may not seem entirely intuitive, but with shorter lifetimes it’ll be reasonable to wait for the natural expiration of certificates, which will actually create less maintenance—and of course a safer internet.