SSL Certificates are only for 1 year now !

Starting on September 1st, SSL/TLS certificates cannot be issued for longer than 13 months (397 days). This change was first announced by Apple, at the CA/Browser Forum Spring Face-to-Face event in Bratislava back in March. 

Then last week, at the CA/B Forum’s Summer event (held virtually), Google announced its intention to match Apple’s changes with its own root program. 

We realize there might be a lot to unpack here, so in the interest of providing a little clarity we’re going to cover it in this blog post. 

The reason for shorter SSL/TLS certificate issuance

From a high-level, standpoint there are two primary benefits for shorter-lived certificates:

The first is the technical component – longer duration means it takes longer to organically roll out updates or changes. A real-world example would be the SHA1-to-SHA2 transition. Unless you’re going to revoke a whole bunch of certificates and force the customer to re-issue, it can take years before all of the old certificates are replaced. In the case of SHA1, it took 03. This creates risk on the entire platform(s). 

The other benefit has to do with identity – how long should the information used to validate an identity stay trusted? The longer between validation, the greater the risk. Google has said that in an ideal world domain validation would occur about every six hours. 

Before 2015 you could get an SSL/TLS certificate issued for up to five years. That was reduced to three, and then again in 2018 to two. At the end of 2019, a ballot was proposed at the CA/B Forum that would have reduced it to one year – it was voted down soundly by the Certificate Authorities.

So, why are certificates being reduced to one year?

As explained in the introduction, the CA/Browser forum is an industry group that meets to vote on a set of baseline requirements for the issuance of trusted digital certificates. What it is not, however, is a governing body. Even though the CAs expressed concerns and reluctance to decrease max validity again, Apple and Google are well within their right to update the policies for their root programs as they see fit. 

We understand that we’ve just thrown a whole bunch of industry terms at you, so let’s step back real quick and make sure the previous paragraph makes sense. 

Certificate Authorities and browsers have an interdependent relationship. Browsers need to use certificates to make trust determinations about websites and for help securing connections. On the CA side, what good is a public certificate if it’s not trusted by a browser?

The way this is all managed is through the root programs. There are four major root programs of note:

·       Microsoft

·       Apple

·       Mozilla

·       Google ( the last two known as Googzilla – lol)

Incidentally, you’ll notice those four are also behind the major browsers on both desktop and mobile. In order for a CA to have its certificates trusted by the root programs, and by extension the browsers and OSs that make use of them, it must adhere to that root program’s guidelines. The CA/B Forum is an industry forum that ideally helps to facilitate changes to the root programs (and the ecosystem itself). 

But the root programs, which participate as browsers, can still act unilaterally and make changes as they see fit. When this happens, the need for interoperability basically dictates that whatever root program policy has the most stringent standards becomes the new de facto baseline requirement. 

That’s how we got here. Now let’s talk about what this means for your website.

What shorter SSL/TLS validity means for website owners

First things first, this goes into effect September 1, 2020. So, if you’re using a two-year certificate that was issued before September 1, your certificate will stay valid until its original expiration date. You just won’t be able to renew for two years moving forward. 

Or to put it another way, you have until the first of September to get two-year certs. After that they will be relegated to the desktop recycling bin of history. 

From a bigger-picture standpoint, this might be a good time to start giving consideration to automating more of your certificate lifecycle management functions. Especially for larger organizations managing dozens of publicly-trusted website certificates, but also for organizations using publicly-trusted email certificates, as well as any organization leveraging a private CA or PKI-based electronic signatures. You might also consider moving some certificates from public to private trust, which also helps with management – you could even issue certs with longer validity using that method. 

Otherwise, the way things are headed with the root programs continuing to push for shorter validity – organizations are pretty much going to be forced to automate a lot of these things at some point in the future. 

Better to explore that now than when your feet are being pressed to the fire. 

How 7Digital Solutions® - 7DS will handle 1-year certificates

In the interest of simplicity – making the process as straightforward as possible – 7DS will provide SSL/TLS customers with the maximum validity of 360 days when they order one-year certificates starting on 31 August. This applies to new orders and renewals, to provide maximum validity for our customer’s benefit.

You will still want to renew your certificate before it expires, but since we can no longer provide up to 90 additional days to your validity, we recommend you renew 30 days prior of expiration. 

What about reissuing my certificates?

7DS will assist in reissue. However, this is limited to the first time and then a fee is chargeable. The rest works the same way it did in 2018 when we went from three-year max validity down to 2 years.

One item to note is that the EV reissue process is a bit different, due to the EV Guidelines (EVGL) requirements for reissuing certificates.  While you can still reissue your certificates, they will be queued for manual review and we’ll need to be sure all validations are up to date before we can release it.

If you have any questions about how these changes may uniquely affect your organization or website, please don’t hesitate to contact us

As always, we will continue to update you as things evolve.

God Bless !

About Us

7Digital Solutions® is an enterprise, engaged in providing international domain name registration services globally. All the domain extensions under one roof. We manage your domain name portfolio. We provide Services on TMCH (Trademark Clearing House) and Brand Monitoring Services. 7DS has a large portfolios of SSL certificates for providing security solutions online., Hosting Solutions on SSD based Servers, Security Solutions, IT Consulting, International Domain Name Registrations, Domain Name Acquisitions. Trustee Services and everything Domain Name on this Planet, is registered and enabled by 7DS for its clients.