Beginning September 1, 2020, all TLS/SSL certificates will have a 1-year validity. That’s 13 months or 398 days when you add up the extra 30 days during renewals or replacements. However, with an SSL subscription, you can still get a 2-year SSL certificate. We’ll show you how further down the line.
The current TLS/SSL lifespan, set at 27 months, has lasted only two years. That’s one year less than the previous 3-year validity guidelines from 2015 to 2018. Back in the early days of web encryption, SSL certificates had a 5-year cycle. The first reduction occurred with the arrival of the SHA-256 hash algorithm.
With the Web evolving and security threats going nowhere, the leading CAs and browsers are constantly pushing for a shorter SSL validity. The reasoning behind this is simple – the frequent SSL certificate renewal offers cyber-attackers less time to crack it. As a result, users’ sensitive data will become even better protected than it is now.
While all CAs anticipated the latest reduction of SSL validity, it was Apple who made it official, by unilaterally announcing that from September 1, its Safari browser will no longer trust SSL/TLS certificates with the validity of more than 398 days. As safari is the second most popular browser on the Web, the leading CAs had no choice but to comply with Apple’s decision.
Certificate Authorities’ reaction to 1-year SSL validity
DigiCert and Sectigo, the Certificate Authorities with the largest market share, both reacted positively to the new SSL lifespan.
“DigiCert agrees that shorter lifetimes help enhance the security of the ecosystem and has the tools necessary to help our customers automate the certificate lifecycle process. We support short-lived certificates, with lifetimes as short as a few hours for customers with advanced automation capabilities”. wrote Dean Coclin on the company’s blog.
Michael Fowler, president of partners and channels at Sectigo, echoed Coclin’s thoughts.
“Sectigo understands the benefits of and supports shorter certificate lifetimes. We also know that the currently imposed two-year limitation has already impacted our SSL certificate resellers by causing user friction. Sectigo anticipated this change and has introduced solutions to help our partners”.
What does the 1-year SSL validity mean for the end-user?
If your existing 2-year SSL certificate expires soon (in less than 12 months), now is your last chance to get a certificate for the next two years. Beginning September 1, 2020, Digicert and all its SSL brands (RapidSSL, GeoTrust, and Thawte) will stop issuing 2-year public TLS certificates. Sectigo and GoGetSSL will ditch 2-year SSL validity even sooner.
Beginning August 19, 2020, both CAs will only be issuing 1-year certificates.
Good news! You still can benefit from multiple years discounts
All SSL certificates bought before the deadline will still work as normal. You won’t have to worry about renewing them anytime soon.
Best of all, at SSL Dragon, we offer great discounts on all our SSL products when you buy them for multiple years, even after the 1-year validity takes effect.
How does this work? It’s simple.
You can order a 2 or 3-year SSL subscription and reduce significantly the costs of your certificate.
The only difference is that you need to reissue the cert every year, and pass the validation and install it again on your server.
With just a few extra steps, you can still save quite a bit of money.