WISeKey

News and Events

Industry Change to 2 year TLS/SSL Certificates
8 Feb 2018

In 2016 the CA/Browser Forum, an industry body which sets standards for publicly trusted TLS/SSL digital certificates, agreed to reduce the maximum validity of SSL certificates to 825 days (~27 months) from the current 39 months (~1185 days).

The new requirement takes effect on March 1, 2018 across all CAs issuing all forms of publicly trusted SSL including Domain Validation (DV), Organisation Validation (OV), and Extended Validation (EV).

WISeKey QuoVadis will adopt the new requirement on February 26, 2018 to ensure that in-process orders are complete before the deadline.

Why Shorter TLS/SSL Lifetimes?

The CA/B Forum requirement is designed to enforce that SSL certificates are changed more frequently, accelerating adoption of changing industry technical standards across the webPKI. Previous CA/B Forum changes had already reduced TLS/SSL validity to 60 months, and then to 39 months.

Over the past 10 years, the number of currently-valid publicly trusted SSL certificates has grown from 1 to 50 million. This growth requires agility in phasing out older cryptographic standards that may have become vulnerable (with lessons learned from the retirement of 1024-bit RSA key length and the SHA-1 hashing algorithm).

The idea is that, in most circumstances, shorter duration certificates will be allowed to naturally expire, rather than undergo forced revocation should standards change.

The focus in future will be for enterprise software providers and CAs to facilitate greater automation of SSL provisioning allowing further reduction in certificate validity lifetimes.