3 Year options for SSL Certificates are no more available now.
3 Year Option for SSL Certificates ends March 1, 2018
After March 1, you’ll only be able to buy two-year certificates.
Starting on March 1, 2018, you will no longer be able to purchase 3-year SSL certificates. This change is being enforced by the Certificate Authority/Browser Forum (CAB Forum), which is more or less a regulatory body made up of CAs and Browser.
To refresh your memory, you have to renew certificates at regularly for two reasons:
- Keeping your security implementations up to date.
- The CAs need to validate you again so you stay trusted.
- And before we get any further, no this is not some nefarious scheme by the Certificate Authorities so they can sell you more certificates. Google and the other browsers that participate in the CAB Forum would actually prefer validity periods of no more than 90 days. So it isn’t really the CAs pushing this.
But at any rate, replacing your certificate regularly is most important from the standpoint of your security. Let’s go back to the five-year certificates we mentioned earlier. Think about what ciphers we were using five years ago. Granted, you’d likely have had to re-issue by now on account of SHA-1, but that underscores my point. SHA-1! SHA-1 is so vulnerable that Google actually manufactured a collision to demonstrate how outmoded it had become.
Every day encryption technology evolves and the idea that you could still maintain adequate levels of security five, or even three years after issuance just isn’t plausible.
The other reason for issuance is the CAs have to re-validate you. This ensures that your information is up to date and that you’re still authorized to have certificates issued for your domain. Remember, the browsers are indicating to their users that they can trust a connection with your site on the basis that you’ve been vetted by a trusted third party. Just like with your driver’s license, you occasionally have to check in with that third party just to ensure that everything is up to date.
So, starting March 1, two years is the maximum lifespan that you can get with any SSL certificate. This change doesn’t affect EV certificates, as two years (825 days) was already the longest allowable validity period, owing to the level of trust (the unique green bar indicator) that EV SSL receives.
So here’s how this works:
- If your SSL certificate was issued before March 1, 2018, it’s still good for however long you have left.
- All SSL Certificates issued after March 1, 2018, may only have a maximum lifespan of 825 days.
- DCV and organization validation information for DV and OV certificates can only be used for 825 days.
- That’s right, after 825 days the CA has to validate you again. And this is retroactive, too, so however old your current certificate is, it counts against the 825 days.
We'd also point out that if you purchase a three-year certificate before the deadline, you better hope you never have to re-issue it. Or else you’re going to run into headaches.
Here’s some reasons you might have to re-issue:
- Adding a domain to a certificate
- Removing a domain from a certificate
- Swapping out a domain on a certificate
- Changing organization information (name, address, phone number, etc.)
- Duplicating a certificate
- So if you’re planning on doing any of those over the next three years, just spring for the two-year certificate and try to renew it early.
- Finally, there is also chatter in the CAB Forum about eliminating certain Domain Control Validation methods such as Whois lookups.
As always, we’ll keep you posted as the industry undergoes more changes.