In accordance with the CA/Browser Forum’s Baseline Requirements, effective April 1, 2015, Certificate Authorities will no longer be able to issue SSL Certificates with a validity period longer than 39 months. There is an exception to this rule, but the exception should only apply to extremely rare circumstances.
The current requirements stipulate a validity period no longer than 60 months; however, this will drop to a 39 month maximum unless the certificate is for a system or software that:
- Was in use prior to April 1, 2015;
- Is currently in use by the applicant or a substantial number of relying parties;
- Fails to operate if the validity period is shorter than 60 months;
- Does not contain known security risks to relying parties; and
- Is difficult to patch or replace without substantial economic outlay.
A shortened validity period will significantly improve Internet security by requiring administrators to renew and verify their certificates more often. It will also make it easier for users to keep up-to-date on new advances in security and remain aware of their control over private keys. Shorter validity periods ensure that when vulnerabilities become known, CAs can replace the certificates in a timely manner, eliminating the need for a long cycle in improvements.
How the Change Affects DigiCert Customers
Although some other Certificate Authorities offer certificates for periods longer than 3 years, DigiCert customers won’t see a dramatic change—DigiCert has long supported the need for shorter validity periods and historically has only offered SSL Certificates with up to a 3-year validity period. We believe that these shorter validity periods allow optimal usability while maintaining the tightest security on your network. Three years is long enough to avoid overly burdening administrators, but allows for updates that are regular enough to ensure best security practices.
If you have questions about the validity period of your current certificates, you can always contact DigiCert Support. We also offer a large selection of tools to help you manage and maintain your certificate landscape. The Certificate Inspector can help you discover, scan, and analyze your environment, and renewing expiring certificates is easy with the express installation feature.