No More Three-Year SSL Certificates—Shorter Validity for Greater Security

No More Three-Year SSL Certificates—Shorter Validity for Greater Security

There’s been a key change in the secure sockets layer (SSL) industry that will impact the security of domains. Most notably, there will no longer be an option to purchase a three-year SSL certificate. But this shorter validity period allows for greater security. Here’s how:

What is happening?

  • In 2017, the CA/Browser Forum—the regulating body for digital certificate management— approved Ballot 193 which reduces the maximum validity term of OV and DV certificates.[1]
  • This change means it will no longer be possible for certificate authorities to issue three-year (39 month) certificates.
  • All certificates—domain validated (DV), organization validated (OV), and extended validated (EV)— will have maximum 27 month (825 days) validity.
  • This change takes effect on March 1, 2018.

Why is this happening?

  • This is one of a series of steps to increase security in the SSL industry.
  • This is not unprecedented. In 2015, the CA/Browser Forum voted to reduce the validity term of certificates from four to three years (OV and DV; EV were already two-years maximum).[2]
  • The shorter the validity term of a certificate, the more secure it is because it allows the industry to make changes and speed up compliance (vs waiting for long certificates to expire).[3]
    • Google®, owner of the most prevalent ChromeTM browser, and a champion for SSL security, supports even shorter SSL lifetimes. Google has instituted security measures of their own, such as marking non-HTTPS sites as “not secure,”[4] as well as distrusting Symantec-family certificates due to past mis-issuances.[5]
    • In 2014, SHA-1 certificates were identified for algorithm vulnerabilities and depreciated, at which time the maximum certificate lifetime of five years for OV and DV certificates posed challenges for immediate updates and full compliance.[6]

What does this mean for your certificates?

  • If you have existing three-year OV or DV certificates, they will still be valid for the full term.
  • It will not be possible to order new three-year certificates after February 28, 2018.
  • Additionally, existing three-year certificates that are reissued after March 1, 2018 will be subject to the new regulations and have a maximum validity period of two years.

CSC can assist in identifying your existing three-year certificates and discuss options. Request a consultation to speak to us about your existing SSL certificates and any requirements you have. We’re ready to talk.


[1]https://cabforum.org/pipermail/public/2017-March/009885.html; https://cabforum.org/2017/05/03/ballot-197-effective-date-ballot-193-provisions/

[2]https://www.sslsupportdesk.com/maximum-validity-of-ssl-certificates-reduced-to-3-years/

[3]https://www.globalsign.com/en/blog/ssl-certificate-validity-capped-at-maximum-two-years/

[4]https://www.cscdigitalbrand.services/blog/chrome-marks-http-sites-not-secure/

[5]https://www.cscdigitalbrand.services/blog/with-symantec-certs-untrusted-by-google-and-others-make-sure-your-domain-is-secure/

[6]https://www.globalsign.com/en/blog/ssl-certificate-validity-capped-at-maximum-two-years/