Starting February 20th, 2018, the maximum validity period for newly-issued domain validated (DV) and organization validated (OV) SSL/TLS certificates is 27 months (2 years and 3 months). The shorter maximum validity period helps improve website trust and security by minimizing expired organization information and potential vulnerabilities (such as Heartbleed). See CA/Browser Forum Ballot 193 for more information on this policy.
- What happens to my valid 3-year certificates?
3-year certificates that are issued before November 30, 2017 remain valid but need to be replaced with the DigiCert hierarchy certificates if you use them for browsers.
3-year certificates that are issued after November 30, 2017 remain valid and their validity period and expiration date are unchanged.
- Can I still get a 3-year SSL/TLS certificate?
You can request 3-year certificates up to February 20th, 2018. You can approve and issue pending 3-year certificates up to February 28, 2018. After these dates, the maximum validity period will be 2 years.
- What is the maximum validity period for Extended Validation (EV) certificates?
This remains at 27 months – 24 months plus up to 3 months for early renewals.
- Can I replace a 3-year SSL/TLS certificate?
If the remaining validity of the original certificate is less than 825 days, your replacement keeps the full remaining validity.
After February 20th, 2018, if the remaining validity of the original certificate is more than 825 days, the validity of the replacement is shortened to 825 days. Remember to back up your certificates and private keys to minimize the need to replace your 3-year certificates.
If you are replacing your certificate due to the Google Chrome distrust issue on September 13, 2018, check the remaining validity of your certificate. If the certificate has more than 825 days left, you may want to wait to replace your certificate to get as much validity as possible – but don’t miss the September 13 date!
- Does this change apply to Private SSL and Code Signing?
No, it won’t impact EV/OV Code Signing and Private SSL.