SSL Certificates Are Now Issued 13 Months at a Time; Multi-Year Certs Need Rekeying

Hand adding a green "s" block to a row of red blocks spelling out "http"

Oct 21, 2020 by Tim Lewis

No, you’re not crazy — you did pay for a multi-year certificate. Why is it only good for a year, you ask? The answer to that question goes back to February 2020. Ah yes, remember February? Remember going places without wearing a face covering like a Mortal Kombat character?

In February 2020, Apple decided to update their platforms to not trust certificates with a validity period of more than 398 days. Soon after, Google and Mozilla followed suit. This effectively forced the Certificate Authority/Browser (CA/B) Forum to update their own policies. As The Register said, “Short-lived certificates improve security because they reduce the window of exposure if a TLS certificate is compromised. They also help remediate normal operational churn within organizations by ensuring yearly updates to identity such as company names, addresses and active domains. As with any improvement, shortening of lifetimes should be balanced against the hardship required of certificate users to implement these changes.”

Effective September 1, 2020 all Certificate Authorities are issuing certificates with a maximum validity period of 398 days. This begs the question, what does that mean for those who bought long-term multiyear certificates?

The Certificate Authorities are honoring your multiyear purchase, but are forcing you to re-key, re-download and re-apply your certificates every 398 days. Keeping track of SSL certificates can be confusing, annoying and time consuming. I don’t think this move will help that at all.

However, now is the time move as many services as you can to Let’s Encrypt, a nonprofit Certificate Authority.

If you have questions about how this impacts you or how to best track your SSL certs, we can help. Send us an email at info@mirazon.com or call us at 502-240-0404!

Press enter to search