The Certificate Authority Browser Forum, also known as CAB Forum passed ballot 193 which reduces SSL Certificates validity (Domain Validation and Business Validation) to 825-days (roughly 27 months).The ballot didn’t affect he Extended Validation Certificates, due to their already existing 2-year lifetime. The new regulations will come into effect on March 1, 2018.
Chris Baily of Entrust Datacard proposed the motion, and it gained overwhelming support from the voting Browsers and Certificate Authorities. From 27 CA votes, 24 said yes and 3 abstained. Voting by browsers resulted in 5 positives votes and one abstention.
It’s not the first time the CAB forum has reduced the maximum validity of SSL Certificates. In January 2015, the same industry body placed a 39-month lifetime limit on all publicly trusted SSL Certificates. Prior to that, companies and individuals could get SSL Certificates with a validity period of up to 5 years.
So why change the rules again in such a short timespan?
The short answer is better security and regulation. Now let’s elaborate on this. The new restriction allows SSL Certificates to expire and be reissued more frequently, thus enabling the Certificates Authorities to better control the overall SSL/TLS environment.
The new 825-day SSL lifespan will minimize the number of SSL Certificates using older cryptographic standards: for example, moving from 1024 to 2048-bit RSA key length or moving from SHA-1 to the SHA-2 hashing algorithm. The new limitation will also diminish active certificates issued due to fraudulent requests and activities and will decrease the number of mis-issued certificates.
Important to know
CAB Forum’s change won’t affect the already installed SSL Certificates validity. The verification procedure is already complete and they don’t require further action. The SSL Certificates issued after 1 July 2016 but prior to 1 March 2018 will still have the current 39-month validity period.
However, since the validation information of SSL Certificates must be completed within 825 days of the certificate’s issuance or re-issuance, holders of existing 3-year certificates will have to reissue their certificates in their last year in order to be compliant with the requirements.
The validity of Extended Validation Certificates will last 825-days instead of 27 months. An exact number of days (825) allows for more efficient auditing and browser requirement enforcement. The CAB Forum recommends that that EV SSL Certificates have a maximum validity period of 12 months.