17.07.2017

SSL certificates with three-year lifetimes will soon be history

From March 1, 2018, SSL certificates with a three-year lifetime will be taken off the market.


There will be changes regarding the lifetime of SSL certificates from March 1, 2018: Three-year certificates will be phased out. This has been decided in a ballot of the CA/browser forum with 24 Yes votes, zero No votes and three abstentions. Users should already avoid purchasing such certificates today.

Limiting the lifetime to a maximum of 825 days

Two years ago users could still purchase SSL certificates with four-year validity periods. But on March 1, 2015, it was decided that four-year certificates would be phased out, leaving only one, two, or three-year certificates up for purchase. Now three-year certificates are being taken off the market as well. The lifetime of an SSL certificate after March 1, 2018, will be limited to a maximum of 825 days. This number results from the option to transfer over a three-month remaining lifetime and thanks to a three-day transition period. This is illustrated in the following sample calculation: 365 days for the first year + 365 days for the second year + 31 days for the first month of the remaining lifetime + 31 days for the second month of the remaining lifetime + 31 days for the third month of the remaining lifetime + 3 days transition period = 825 days. It should be assumed that certificates with a two-year lifetime will also be taken out of portfolios in the mid-term, making one-year certificates the standard.

The danger of loosing certificate lifetimes

Some providers already adjusted their portfolios and removed three-year certificates from their product range. Others however are still offering the certificates. In any case it can no longer be recommended to purchase certificates with a three-year lifetime. In case the certificate is renewed, this could lead to an annoying loss in validity period. In 2014 the Heartbleed Bug required the renewal of almost every SSL certificate. Should a similar case occur after the deadline in March next year, the validity period would be cut-off at 825 days. A certificate issued on February 28, 2018 would then have to be renewed on March 1, with a lifetime of 825 days. The new certificate would technically have a remaining lifetime of 1,094 days. But due to the new regulation that limits the certificate lifetime to 825 days, this would lead to loosing 296 days. Another factor to take into consideration is that the time of issuance of the certificate is crucial for determining the certificate lifetime, and not the time of the application. This means that the manual validation process, which can prove lengthy, has to be taken into account when purchasing an SSL certificate. Since it can take up to a month for a certificate to be issued in some cases, ordering three-year certificates is already risky now.

Reasons for limiting the certificate lifetimes

Limiting SSL certificates to ever-shorter lifetimes essentially has two reasons: one goal is to rid the market of outdated encryption standards by shortening lifetimes, making the Web a safer place. On the other hand certification authorities hope to gain the ability to react more flexibly to security vulnerabilities, optimizing certificates faster.


comments powered by Disqus