The CA/Browser Forum which governs the rules and practices for
Certificate Authorities have approved a ballot that will reduce maximum
certificate lifetimes for TLS/SSL certificates to 825 days (~27 months or ~2 years 3 months) from the current 1185 days (~39 months or 3 years 3 months).
The new 825-day maximum validity period takes effect on March 1, 2018 for all TLS/SSL certificate types. This will affect QuoVadis Business SSL and QuoVadis Extended Validation policies within Trust/Link. For your convenience, QuoVadis will automatically replace all policies within Trust/Link as this date approaches.
Why Shorter TLS/SSL Lifetimes?
Browsers wish to reduce the allowed lifetimes so that TLS/SSL certificates will be changed more frequently:
- Improving agility in phasing out active certificates using older cryptographic standards (such as 1024-bit RSA key length or SHA-1 hashing algorithm); and
- Allowing changes to the CA/B Forum standards (such as Baseline Requirements or EV Guidelines) to have impact more rapidly.
The idea is that in most circumstances the shorter duration
certificates will be allowed to naturally expire, rather than undergo
forced revocation should standards change. The focus in future will be
for server vendors – and CAs – to facilitate greater automation of
TLS/SSL provisioning allowing further reduction in certificate validity
lifetimes.
How does this affect me?
All TLS/SSL certificates issues before March 1, 2018
will not be affected and can continue to operate until expiration or
revocation. Certificates issued before this date can still have a
validity up to 3 years. After this date, all certificates will be
limited to 825 days in validity.