Knowledge Base
Official TLS / SSL Certificate Lifespan
Public TLS / SSL Certificate Lifespan History
|
Starting Wednesday, August 19, 2020, Sectigo will no longer be able to offer two-year public TLS certificates due to an industry-wide requirement set by Apple and Google, stating that any two-year TLS certificate issued after August 30, 2020, will be distrusted in their browsers.
- Any two-year TLS certificate issued before 12:00am UTC on August 19, 2020, will be valid for two-years (up to 825 days).
Beginning August 19, 2020, Sectigo will only be issuing one-year (up to 398 days) TLS certificates.
- This only applies to public TLS certificates.
- Private-root and other types of certificates (e.g. Code Signing Certificates, S/MIME certificates, etc.) will be unaffected and will have the same maximum validity that they have today.
In preparation for this upcoming industry-wide change, we have prepared a few resources for our customers and partners.
- Sectigo Pulse Webinar www.sectigo.com/resource-library/q2-sectigo-pulse-webinar
- Root Causes Podcast: Apple to Drop Support for Two-year SSL Certificates www. sectigo.com/resource-library/root-causes-1-73-apple-to-drop-support-for-two-year-ssl-certificates
In addition, Sectigo offers Subscription SSL bundles for our partners and direct customers who purchase certificates through our websites. Subscription SSL does not apply to customers using our certificate management solutions. To learn more about Subscription SSL, sectigo.com/resource-library. Contact us (sectigo.com/about/contact) if you have any questions about how these changes may impact your business.
In Summary:
- 3 and 5 year certificate validity FAQ
- Two-year TLS certificate issued before 12:00am UTC on August 19, 2020, will be valid for two-years (up to 825 days).
- Beginning August 19, 2020, Sectigo will only be issuing one-year (up to 398 days) TLS certificates.
FAQ:
Question: I paid for a 3 (or) 5 Year SSL Certificate but received it with a validity period of 825 days, how do I obtain the remaining years?
Before your certificate is set to expire, you can request a reissue of your certificate. Your new certificate will be valid for the maximum allowable validity period (max term or however much time was remaining on your original purchase). You will have to repeat this until your subscription period expires.
Question: Will this affect my previously issued 2- or 3-Year certificates?
No. This will not affect your previously issued certificates. They will be valid up to their lifetime. In the event you are trying to reissue a certificate after September 1, 2020, you may receive a certificate with a reduced validity period, due to the new policy (and time remaining on your original purchase)
Question: Does this new policy apply to Email and Code Signing Certificates?
No. This only applies to public TLS certificates. Private-root and other types of certificates (e.g. Code Signing Certificates, S/MIME certificates, etc.) will be unaffected and will have the same maximum validity that they have today.
Question: What is the purpose of reducing the Lifetime of SSL Certificates?
To keep websites safe and out of the hands of “bad actors”. Previously CAs were able to issue SSL Certificates with a lifespan of up to 5 years. This meant you were using the same key for 5 years. To increase the level of security on web servers, it is recommended we keep generating new keys for SSL Certificates. To enforce this, and provide that increased level of security, CAs agreed to reduce certificate terms from 5 years to 3 years, then to 825 days, and finally 398 days (1 Year).
Additional Information:
Official CA/Browser Forum: Ballot 193: 825-Day Certificate Lifetimes
TLS / SSL Certificate Lifespan History (2, 3, and 5-year validity)
Sectigo Certification Practice Statement