All server certificates will be limited to less than 398 days of lifetime before 1. The Sept.

The short version

As of 1. As of September 2020, only SSL/TLS server certificates that are less than 398 days can be created, i.e. approximately 1 year and 1 month. Existing certificates are made up to and including 31. August 2020, can technically be up to 825 days, ie approximately 2 years and 3 months.As long as the certificate is made no later than August 2020, it can be made for up to 825 days. If you want to extend certificates today that may have more than 90 days remaining, this can also be done with most issuers. Contact us.If a certificate needs to be reissued after 31. August 2020, on which there are more than 397 days left, by the reissue it will be reduced to 397 days. It will usually be possible to reissue the certificate free of charge in several rounds and in this way get the full time one had purchased.It does not affect “internal” certificates issued from internal CA, which are added to the computer by the user or administrator in approved issuers.

Our Recommendation

If a certificate can be renewed before September 2020 and there is little likelihood that the certificate's SAN names will need to be changed later or the certificate needs to be reissued, we recommend renewing by 2 years, by August 2020.In addition, the certificates will only last 1 year at a time.We would like to help review options for companies that want to automate certificates via the ACME protocol, via API, via Azure Key Vault, or have other need for automation.There is also the option to get “automatic renewal” or buy certificates for several years of once, but they don't change the fact that the certificate still has to be installed every time. If there is a desire to use these services, we are happy to contact you.

When certain certificates are restricted

CoDesign and email certificates are not affected and can continue to be purchased for up to 3 years.Certificates issued from your own private CA, e.g. internal to the company, will not be affected.Certificates from the following brands are reduced to 397 days after He's 18. Agosto 2020

• Sectigo
• Comodo (now Sectigo)

Certificates from the following brands are reduced to 397 days after I'm 27. Agosto 2020

• DigiCert
• Thawte
• GeoTrust
• RapidSSL

Certificates from the following brands are reduced to 397 days after He's 30. Agosto 2020

• GlobalSign
• AlphaSSL

Who needs a shorter lifespan

Apple, Google Chrome, and Mozilla are united in the change. It is the browsers with Google Chrome in the lead that together severely force this change down on CAs and certificate users. And this time, for the first time, the change has not been approved in the CAB forum via vote. In contrast, the browsers have just reported that they are implementing code that rejects certificates issued from 1. September with a total lifespan over 398 days. And that CAs that disagree can be removed from the browsers' recognized CA root certificates.

What should become safer

Where it will definitely help is when security holes are discovered or certain security changes for certificates, e.g. phasing out MD5 and SHA1, it will take less time for all certificates made with the “old” phased/modified to expire and thereby be switched to newer safer settings.It is believed that by making it more cumbersome to maintain certificates manually, due to the shorter time, forcing more people to use automated installation methods. It will then require updates in a lot of software before that can happen. It also seems that Google Chrome wants to be down in a few months and has not finished pushing to reduce time. However, this does not help companies that have not fully automated their server operation and maintenance, as it might be conceivable that Google itself has. Microsoft was told to replace 6+ million certificates in July 2020 and their response was that it would take 7 months, so they probably don't have the kind of automation that Google dreams of either. Reducing lifespan also doesn't help with bugs that are considered rule breaking, where Chrome and other browsers will require all certificates regardless of number (e.g. 6+ million certificates at Microsoft) to be able to be closed within 7 days of the error has been discovered.There is an argument that a compromised certificate will be able to be used for a shorter period of time, as it lives for 1 year rather than 2 years. However, this seems like a bad argument, since for most companies, an abuse will be catastrophic already with an abuse in less than 24 hours, but of course it will “only” be able to be abused in a year's time. However, most cases where certificates have been misused show that they are typically used for less than 2 weeks. The argument only makes sense when you get down to less than a month in lifetime.In addition, keys for certificates are often reused, giving the same result as if the certificate was valid for several years. There are no restrictions on the reuse of the key. In addition, there is no effective overall restriction on the reuse of known broken keys.