SSL/TLS certificates are limited to 825 days

This applies to all SSL certificates issued by a publicly approved CA.
The length makes it possible to extend a certificate by 2 years and get up to 3 extra months on the new certificate.

The amendment was adopted by CA/Browser Forum and enters into force March 1, 2018, but is already affecting the practice of several CAs.

What changes?

• Reusing validation (e.g., on reissue) becomes restricted.
• 3-year certificates may require new validation in the final year.
• Several CAs will stop issuing 3-year certificates as early as April 2017.
• As of March 2018, 3-year certificates no longer possible.

Historical evolution of certificate longevity

• Previous: Unlimited → 60 months → 39 months
• Now: Max. 825 days (about 27 months)

Why is the service life shortened?

The aim is to increase security by ensuring faster replacement of certificates, in particular:

• Certificates with weak or outdated technologies (e.g. SHA-1)
• Certificates issued with outdated validation methods
• Certificates with incorrect or misleading information
• Certificates issued with malicious intent

Proposal for 13 months rejected

A proposal to reduce the validity to 13 months was tabled 3 weeks before the vote, but was voted down due to the administrative burden.

825 days is a compromise

The new limit is a compromise between:

• Increased safety through more frequent replacement
• Limitation of administrative costs

What does that mean to you?

• Existing certificates are not affected
• Daily operation does not change significantly
• However, you should expect to install new certificates more often
• For organizations with many systems, this can mean more hours of work per year

About CA/Browser Forum

The CA/Browser Forum is an association of the largest public certificate issuers and browser manufacturers that together set common rules for SSL/TLS.