Articles in Root

Maximum Validity Changes for TLS/SSL to drop to 825 days in Q1 2018


The CA/Browser Forum which governs the rules and practices for Certificate Authorities have approved a ballot that will reduce maximum certificate lifetimes for TLS/SSL certificates to 825 days (~27 months or ~2 years 3 months) from the current 1185 days (~39 months or 3 years 3 months).
The new 825-day maximum validity period takes effect on March 1, 2018 for all TLS/SSL certificate types.  This will affect QuoVadis Business SSL and QuoVadis Extended Validation policies within Trust/Link.  For your convenience, QuoVadis will automatically replace all policies within Trust/Link as this date approaches.

Why Shorter TLS/SSL Lifetimes?
Browsers wish to reduce the allowed lifetimes so that TLS/SSL certificates will be changed more frequently:
  • Improving agility in phasing out active certificates using older cryptographic standards (such as 1024-bit RSA key length or SHA-1 hashing algorithm); and
  • Allowing changes to the CA/B Forum standards (such as Baseline Requirements or EV Guidelines) to have impact more rapidly.
The idea is that in most circumstances the shorter duration certificates will be allowed to naturally expire, rather than undergo forced revocation should standards change.  The focus in future will be for server vendors – and CAs – to facilitate greater automation of TLS/SSL provisioning allowing further reduction in certificate validity lifetimes.
How does this affect me?
All TLS/SSL certificates issues before March 1, 2018 will not be affected and can continue to operate until expiration or revocation.  Certificates issued before this date can still have a validity up to 3 years.  After this date, all certificates will be limited to 825 days in validity.