CA/B Forum Votes to Shorten Certificate Lifetime Validity Periods: How It Impacts You

The CA/Browser Forum (CAB Forum) comprises the world’s leading CAs and browser vendors. The CAB Forum meetings and discussions attempt to build consensus on rules and guidelines about global digital certificate practices. One common topic is how to shorten certificate lifetimes. The goal is to accelerate security efforts and minimize the potential damage caused by mis-issuance. A good example of this is the recent SHA-1 deprecation. Shorter validity periods would have reduced the time required to migrate away from SHA-1 and improve the entire ecosystem.

This topic led to a recent CAB Forum vote that shortened the validity period of certificates to 825 days beginning March 1, 2018. The ballot also had an unintended consequence. Domain Validated (DV) and Organization Validated (OV) certificate owner information could originally be reused for up to 39 months. However, effective April 22, 2017, this reuse period will be shortened to 825 days—unless a corrective ballot passes.

Revalidating Website Owner Information Older Than 825 Days

Enterprise teams should plan for shorter validity periods. Starting March 1, 2018, DV and OV certificates will have a maximum lifecycle of 27 months (825 days) before they must be renewed. Some CAB Forum members have expressed an interest in dropping the validity period to 13 months in coming years. We encourage everyone to share their opinions with us and the CA/Browser community about what obstacles their organization might face in migrating to 13 month, or shorter, validity periods.

We understand that these changes will require additional work for many enterprise teams, including our customers. Our support team is ready to assist in simplifying the process.

In security, we regularly balance improvements to the ecosystem with the impacts these changes have on organizations. In this case, DigiCert supports the effort to shorten the time required to enact changes across the TLS landscape to confront evolving security threats. We feel that this change brings DV and OV certificate lifetimes in line with EV certificates, which currently only have two-year validity.

We remain highly committed to providing award-winning support and advancing PKI automation to help our customers succeed. We welcome your feedback.

Thawte is a leading global Certification Authority. Our SSL and code signing digital certificates are used globally to secure servers, provide data encryption, authenticate users, protect privacy and assure online identifies through stringent authentication and verification processes. Our SSL certificates include Wildcard SSL Certificates, SAN /UC Certificates, SGC SuperCerts and Extended Validation SSL Certificates.