Announcement:
Shortening Maximum Validity Periods for OV & DV Certificates

Improving SSL/TLS certificate security by moving away from 3-year OV & DV certificates

What You Need to Know

End of life coming for 3-year OV and DV certificates

Early 2017, the CA/Browser Forum (a voluntary conglomerate that promotes the industry guidelines governing the issuance and management of digital certificates) voted to reduce the maximum certificate lifetime to 825 days for Organization Validated (OV) and Domain Validated (DV) SSL/TLS certificates. This change to OV and DV certificate maximum validity periods will help accelerate the implementation of certificate security efforts and improvements (e.g., SHA-1 deprecation). For more information, see CA/B Forum Votes to Shorten Certificate Lifetime Validity Periods or Ballot 193 – 825-Day Certificate Lifetimes.

As of March 1, 2018, Certificate Authorities (CAs) will no longer issue 3-year OV and DV certificates. Additionally, all OV and DV certificate reissues and duplicate issues after February 28, 2018 can only have a maximum validity of 825 days (approximately 27 months) regardless of how much time remains on the certificate (e.g., 1,064 days).

Take note that the original 3-year OV and DV certificate, if issued prior to March 1, 2018, will retain its 39-month certificate validity; only the reissued and duplicate certificates of the original certificate will be subject to the shortened maximum certificate lifecycle period of 825 days.

Immediate Changes to Certificate Management

Background

Before a CA can issue a DV or OV certificate for a domain(s), we must validate the requestor’s domain control or Domain Control Validation (DCV) (i.e., The certificate requestor is authorized to order certificates for the domain(s)); for OV certificates, we must also validate organization information presented in the certificate (i.e., The certificate is for Example, Inc. in Marina del Rey, CA).

Once these initial validation checks were completed, the DCV and organization documentation could be reused for up to 39 months—the maximum lifetime of a DV or OV certificate. However, after Ballot 193 – 825-Day Certificate Lifetimes was passed, it shortened the reuse period for this information.

Revalidate DCV and Organization Information Older Than 825 Days

DCV and organization validation information for OV and DV certificates can only be reused for up to 825 days. If any of the validation information (DCV or organization) is older than 825 days, we must revalidate it before processing a certificate reissue, renewal, or issue.

Because this change was retroactive, all validation information—regardless of when it was collected—is subject to the 825-day reuse period change.

The shortened reuse period for OV and DV certificate DCV information and OV certificate organization validation information may increase the time needed to issue, reissue, duplicate, or renew a certificate because we will need to revalidate any of your domain control or your organization information that is older than 825 days.

If possible, we recommend our customers try to avoid leaving needed certificate renewals or reissues until the last minute. If you do need to wait, please contact our Support team at support@digicert.com ahead of time, so we can make sure all validation information is up-to-date and ready.

March 1, 2018 Changes to Certificate Management

Deprecating 3-Year OV and DV Certificates

After February 28, 2018, you will no longer be able to order a 3-year DV or OV certificate. If you currently use 3-year OV or DV certificates, we recommend that you make plans to move to 2-year certificates immediately. Shortened certificate lifecycles mean certificate renewals will come around one year sooner, which may affect budgets and how you manage your certificates.

DigiCert certificates affected by the change:

  • Standard SSL
  • Multi-Domain SSL
  • Wildcard SSL

DigiCert certificates not affected by the change:

  • Private
  • Client (S/MIME)
  • Code Signing
  • EV Code Signing
  • Extended Validation SSL
  • EV Multi-Domain SSL
  • Document Signing

Existing 3-Year Certificates

This change is not retroactive for the “original” 3-year OV and DV certificates. Come March 1, 2018, all existing 3-year OV and DV certificates will retain their original 39-month validity period.

Impact on 3-Year Certificate Reissues

If your 3-year OV or DV certificate was issued after March 1, 2017, be aware that during the first year of the 3-year certificate’s lifecycle, all reissued and duplicate certificates may have a shorter lifecycle than the “original” certificate (i.e., the expiration dates of the original certificate and first-year reissues will be out of sync).

As of March 1, 2018, CAs can no longer issue OV or DV certificates with a validity period greater than 825 days (approximately 27 months). This includes certificate reissues and duplicates for 3-year OV and DV certificates. If you reissue or create a duplicate of a 3-year OV or DV certificate after March 1, 2018, the “reissued” certificate can only have a maximum validity period of 825 days, even if the “original” 3-year certificate is still valid for another 35 months.

For example, if you order a 3 year, single-name Standard SSL certificate for “example.com” on November 5, 2017, the issued certificate would have a maximum expiration date of February 5, 2021 (39 months after the issuance date). DigiCert could successfully issue that certificate with the maximum expiration date (39 months) at that time.

If this same order was later reissued on January 5, 2018, the “reissued” certificate would maintain its full validity and would still expire on February 5, 2021.

If this same Order was again reissued on March 5, 2018, the changes to maximum validity (introduced on March 1, 2018) would affect the maximum expiration date of the “reissued” certificate. Instead of expiring on February 5, 2021, this “reissued” certificate would expire on February 8, 2020—825 days after the issuance date (March 5, 2018).

This example is also true for duplicates created under Orders that support the “Duplicate” feature.

If you need to reissue a 3-year OV or DV certificate and the certificate reissue will be completed after February 28, 2018, and you have questions about what to expect when the certificate is reissued, please contact our Support team at support@digicert.com before you reissue it.

The following types of actions require you to reissue a certificate:

  • Adding a domain to a certificate
  • Removing a domain from a certificate
  • Swapping out a domain on a certificate
  • Changing organization information (name, address, phone number, etc.)
  • Duplicating a certificate