Why did the CA/Browser Forum Announce the SSL Certificate Validity Capped?
The CA/Browser Forum recently passed ballot 193, which is the reduction of the maximum validity period for SSL/TLS Certificates from three years to two years. The SSL Certificate validity is capped at a maximum of two years. The change comes into effect on March 1st, 2018. All types of SSL/TLS Certificates and CAs are affected. The CA/Browser Forum has the responsibility to set and maintain the best practices and requirements for CAs and the certificates issued.
Longer certificate validity periods may delay global compliance with new guidelines since changes wouldn’t be in full effect until all existing certificates are expired. Reducing the maximum lifetime of certificates from three to two years assists in the reduction of the presence of older, outdated and possibly vulnerable certificates that were issued before new guidelines came into effect.
An example of this would be back when SHA1 deprecation was first announced. The maximum validity period was five years. This created challenges in the migration to SHA256 because there was a gray area of long-life certificates that had been issued with SHA1. There was a potential risk that this would still remain in use for years with an outdated algorithm. Shorter validity periods assist in shrinking these gray areas after future guidelines are released and decrease the amount of time it takes for all active certificates to comply with the specified policy.
How This Affects System and Web Administrators?
The most obvious one is that the new rule is only applicable to certificates issued after March 1st, 2018. This change doesn’t affect the current certificates, so there is no need to worry about how to replace any existing certificates issued with a three-year validity period. However, if you use a three-year certificate and your administration is based upon a three-year renewal cycle, then you should start thinking ahead on how to adjust to more frequent renewals.
This is an excellent time to remind you of the role of certificate management and inventory tools can play in simplifying administration. The majority of CAs offer these types of services, which assist in centralizing certificate activity to help you monitor where you have certificates and when they need to be renewed.
Regardless of the validity of the certificate, all users need to face the fact that the industry will continue to pursue shorter certificate lifetimes. Although these changes will happen over a long period of time, all users of certificates should start mentally and logistically preparing themselves for a future with yearly renewals and replacements.
If you need more information about Singapore digital certificates, just contact us at IT Solution.