The CA/Browser Forum (CAB Forum) comprises the world’s leading CAs and browser vendors. The CAB Forum meetings and discussions attempt to build consensus on rules and guidelines about global digital certificate practices. One common topic is how to shorten certificate lifetimes. The goal is to accelerate security efforts and minimize the potential damage caused by mis-issuance. A good example of this is the recent SHA-1 deprecation. Shorter validity periods would have reduced the time required to migrate away from SHA-1 and improve the entire ecosystem.
This topic led to a recent CAB Forum vote that shortened the validity period of certificates to 825 days beginning March 1, 2018. The ballot also had an unintended consequence. Domain Validated (DV) and Organization Validated (OV) certificate owner information could originally be reused for up to 39 months. However, effective April 22, 2017, this reuse period will be shortened to 825 days—unless a corrective ballot passes.
When this new ballot takes effect, CAs will need to modify their systems to only permit certificate issuance if the identity of an applicant was within 825 days. To ease the process, we are reaching out to affected customers to assist them in quickly revalidating their information. This will allow them to continue issuing certificates from their enterprise accounts.
Enterprise teams should plan for shorter validity periods. Starting March 1, 2018, DV and OV certificates will have a maximum lifecycle of 27 months (825 days) before they must be renewed. Some CAB Forum members have expressed an interest in dropping the validity period to 13 months in coming years. We encourage everyone to share their opinions with us and the CA/Browser community about what obstacles their organization might face in migrating to 13 month, or shorter, validity periods.
We understand that these changes will require additional work for many enterprise teams, including our customers. Our support team is ready to assist in simplifying the process.
In security, we regularly balance improvements to the ecosystem with the impacts these changes have on organizations. In this case, DigiCert supports the effort to shorten the time required to enact changes across the TLS landscape to confront evolving security threats. We feel that this change brings DV and OV certificate lifetimes in line with EV certificates, which currently only have two-year validity.
We remain highly committed to providing award-winning support and advancing PKI automation to help our customers succeed. We welcome your feedback.