Why did the CA/Browser Forum Announce the SSL Certificate Validity Capped?

The CA/Browser Forum recently passed ballot 193, which is the reduction of the maximum validity period for SSL/TLS Certificates from three years to two years. The SSL Certificate validity is capped at a maximum of two years. The change comes into effect on March 1st, 2018. All types of SSL/TLS Certificates and CAs are affected. The CA/Browser Forum has the responsibility to set and maintain the best practices and requirements for CAs and the certificates issued.

Longer certificate validity periods may delay global compliance with new guidelines since changes wouldn’t be in full effect until all existing certificates are expired. Reducing the maximum lifetime of certificates from three to two years assists in the reduction of the presence of older, outdated and possibly vulnerable certificates that were issued before new guidelines came into effect.

An example of this would be back when SHA1 deprecation was first announced. The maximum validity period was five years. This created challenges in the migration to SHA256 because there was a gray area of long-life certificates that had been issued with SHA1. There was a potential risk that this would still remain in use for years with an outdated algorithm. Shorter validity periods assist in shrinking these gray areas after future guidelines are released and decrease the amount of time it takes for all active certificates to comply with the specified policy.

How This Affects System and Web Administrators?

The most obvious one is that the new rule is only applicable to certificates issued after March 1st, 2018. This change doesn’t affect the current certificates, so there is no need to worry about how to replace any existing certificates issued with a three-year validity period. However, if you use a three-year certificate and your administration is based upon a three-year renewal cycle, then you should start thinking ahead on how to adjust to more frequent renewals.

This is an excellent time to remind you of the role of certificate management and inventory tools can play in simplifying administration. The majority of CAs offer these types of services, which assist in centralizing certificate activity to help you monitor where you have certificates and when they need to be renewed.

Conclusion

Regardless of the validity of the certificate, all users need to face the fact that the industry will continue to pursue shorter certificate lifetimes. Although these changes will happen over a long period of time, all users of certificates should start mentally and logistically preparing themselves for a future with yearly renewals and replacements.

If you need more information about Singapore digital certificates, just contact us at IT Solution.

442

505

VIEWS

Share Tweet Linkedin Mail Print

#mc_embed_signup{background:#fff; clear:left; font:14px Helvetica,Arial,sans-serif; } /* Add your own MailChimp form style overrides in your site stylesheet or in this style block. We recommend moving this block and the preceding CSS link to the HEAD of your HTML file. */

Subscribe to our mailing list - IT Solution Pte Ltd

* indicates required

Email Address *

Name *

Organization

By completing this form, you agree that IT Solution Pte. Ltd. will manage your personal data in accordance with the Personal Data Protection Act 2012 (“The Act”) and our data protection policy.

(function($) {window.fnames = new Array(); window.ftypes = new Array();fnames[0]='EMAIL';ftypes[0]='email';fnames[1]='FNAME';ftypes[1]='text';fnames[2]='ORGZATION';ftypes[2]='text';}(jQuery));var $mcj = jQuery.noConflict(true);