End of Life for 3-Year OV
& DV Certificates

Improving SSL/TLS certificate security by moving away
from 3-year certificates

February 20, 2018, Last Day for New 3-Year Certificate Orders

To prepare for the upcoming industry-wide deprecation of 3-year certificates, DigiCert will stop accepting new 3-year public SSL/TLS certificate orders (requests) on February 20, 2018. The industry change limits the maximum allowed length of an SSL certificate to 825 days (approximately 27 months). Starting February 21, 2018, DigiCert will only offer 1- and 2-year SSL/TLS certificates. For more information about the industry move away from 3-year certificates, see CA/B Forum Votes to Shorten Certificate Lifetime Validity Periods or Ballot 193 – 825-Day Certificate Lifetimes.

 

DigiCert certificates affected by the change: DigiCert certificates not affected by the change:
•  Standard SSL
•  Multi-Domain SSL
•  Wildcard SSL
•  Private
•  Client (S/MIME)
•  Code Signing
•  EV Code Signing
•  Document Signing
•  Extended Validation SSL
•  EV Multi-Domain SSL

How does this affect my existing 3-year certificates?

This change isn’t retroactive and doesn’t affect existing 3-year certificates if issued by February 28, 2018. These certificates retain their maximum 36- to 39-month certificate validity.

For example, on January 3, 2018, you bought a 3-year Standard SSL Certificate. We issued the certificate on January 4, 2018. You don’t need to think about replacing this certificate until November or December 2020. When you certificate nears its expiration date, instead of replacing it with a 3-year SSL certificate, you’ll need to replace it with a 2-year certificate.

How does this affect my 3-year certificate reissues and duplicate issues?

The shortened maximum certificate lifecycle period of 825 days (approximately 27 months) will impact 3-year SSL/TLS certificates when they are reissued or duplicated.

The following types of actions require you to reissue a certificate:

  • Adding a domain to a certificate
  • Removing a domain from a certificate
  • Swapping out a domain on a certificate
  • Changing organization information (name, address, phone number, etc.)
  • Duplicating a certificate

If your 3-year OV certificate was issued after March 1, 2017, be aware that during the first year of the 3-year certificate’s lifecycle, all reissued and duplicate certificates may have a shorter lifecycle than the “original” certificate, and these reissued certificates will expire first.

How do you get the expiration dates of reissued certificates back in sync with their original certificate? Reissue each out-of-sync certificate at least one time during the original certificate’s final 825-day period. Then, the reissued certificates’ expiration date will be the same as the original certificate’s expiration date.

The following types of actions require you to reissue a certificate:

  1. On January 1, 2018, we issued your 3-year multi-domain certificate—this is the original certificate. This certificate has a maximum validity of 39 months and expires on January 1, 2021.
  2. On March 1, 2018, you reissue the certificate.
    This reissued certificate has a maximum validity of 825 days (approximately 27 months) and expires on July 4, 2020.
  3. On June 20, 2018, you reissue the certificate.
    This reissued certificate has a maximum validity of 825 days (approximately 27 months) and expires on September 22, 2020.
  4. On July 8, 2018, you reissue the certificate again.
    This reissued certificate has the same expiration date as the “original” certificate and expires on January 1, 2021.
  5. On February 10, 2019, you reissue the certificate one last time.
    This reissued certificate again has the same expiration date as the “original” certificate and expires on January 1, 2021.

If you need to reissue a 3-year OV certificate and have questions about what to expect when the certificate is reissued, please contact your account representative (sales@digicert.com) or our Support team (support@digicert.com) before you reissue it.