3-Year SSL Certificates will go Extinct on March 1, 2018

4 votes, average: 3.00 out of 54 votes, average: 3.00 out of 54 votes, average: 3.00 out of 54 votes, average: 3.00 out of 54 votes, average: 3.00 out of 5 (4 votes, average: 3.00 out of 5, rated)

The new maximum validity is now 27 months

Starting on March 1, 2018 you will no longer be able to purchase 3-year SSL certificates. This wasn’t our decision, it was made by the CA/Browser forum.

If you’ve never heard of the CA/B Forum before, that’s OK. Not many people have. It serves as the de facto regulatory body for digital certificates. That sounds a whole lot cooler than it really is. In reality, 95% of the time it’s just a bunch of nerds arguing about by-laws. Occasionally they meet in person, which leaves whatever conference space they’re in smelling like condescension and Clearasil.

But the other 5% of the time they make decisions that affect the entire industry. Like continuing to shorten the maximum validity period for SSL certificates. There was a time, back when the SSL industry was like the Wild West [Editor’s Note: Sorry, Carl has been on a Cowboy kick lately] that you could even get a five-year certificate.

But certificate lifespan is actually one of the only places where, in terms of size mattering, shorter is better.

Why Are Shorter SSL Certificate Validity Periods Better?

Technology changes frequently, it’s always advancing. So having a five or even a three-year certificate means you’re going to be going 3-5 years between updating your ciphers with stronger encryption. Case in point, a five-year-old certificate would still be using SHA-1. SHA-1 was deprecated a couple of years ago and then last year Google spent considerable resources to create a SHA-1 collision, which underscored the need to move to SHA-2.

With a three year certificate, some users would be going three years between updates. That’s never a good idea.

Beyond that, certificate authorities need to re-validate you regularly, this is so you can continue to be trusted. It’s not unlike how you occasionally have to back to the DMV to update the information on your driver’s license. Or at least you’re supposed to.

At any rate, your validation information is only good for 825 days. If it’s been longer than that you’ll have to pass validation again.

Explain this to me like I’m five, Carl

Ok, here goes:

  • Starting March 1, 2018, you can no longer purchase 3-year SSL certificates.
  • RapidSSLonline.com will stop selling 3-year SSL certificates on February 20.
  • Shorter lifespans allow for more up-to-date algorithms and ciphers
  • CAs can only use validation information for 27 months (825 days)
  • If it’s been longer than 825 days since your last validation, you will have to go through it again
  • If you purchase a 3-year certificate before the deadline and have to reissue it for any reason, it will revert to a two-year certificate and you will lose any remaining time beyond 825 days.

Stay cautious, my friends.