No, you’re not crazy — you did pay for a multi-year certificate. Why is it only good for a year, you ask? The answer to that question goes back to February 2020. Ah yes, remember February? Remember going places without wearing a face covering like a Mortal Kombat character?
In February 2020, Apple decided to update their platforms to not trust certificates with a validity period of more than 398 days. Soon after, Google and Mozilla followed suit. This effectively forced the Certificate Authority/Browser (CA/B) Forum to update their own policies. As The Register said, “Short-lived certificates improve security because they reduce the window of exposure if a TLS certificate is compromised. They also help remediate normal operational churn within organizations by ensuring yearly updates to identity such as company names, addresses and active domains. As with any improvement, shortening of lifetimes should be balanced against the hardship required of certificate users to implement these changes.”
Effective September 1, 2020 all Certificate Authorities are issuing certificates with a maximum validity period of 398 days. This begs the question, what does that mean for those who bought long-term multiyear certificates?
The Certificate Authorities are honoring your multiyear purchase, but are forcing you to re-key, re-download and re-apply your certificates every 398 days. Keeping track of SSL certificates can be confusing, annoying and time consuming. I don’t think this move will help that at all.
However, now is the time move as many services as you can to Let’s Encrypt, a nonprofit Certificate Authority.