SSL CertificatesTrust solutions
15.00$ Basic Quick-Scan
  • OWASP Top 10 Scanning
  • Multi Page Web Applications
  • REST API & JavaScript Scan
  • Set it up in minutes
44.00$ Starting at
  • Protect up to 250 domains
  • Wildcard domains
  • Single and sub-domains
  • Public IP addresses
49.00$ Billed annually
  • Registered companies
  • Non Profit, Funds and Trusts
  • Government entities
  • Sole Proprietors/Individuals

Three, Two, One, Liftoff on One-Year TLS Certificates

At the CA/Browser (CA/B) Forum in Bratislava, Slovakia, this week, Apple announced that beginning Sept. 1, newly issued publicly trusted TLS certificates are valid for no longer than 398 days. This followed a long history of the CA/B Forum community working to reduce certificate lifetimes and improve security while balancing the needs of business owners in transitioning to shorter validity certificates.

Why did Apple unilaterally decide to enforce a shorter certificate lifetime? Their spokesperson said it was to “protect users.” We know from prior CA/B Forum discussions that longer certificate lifetimes proved to be challenging in replacing certificates, in the case of a major security incident. Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats. Short-lived certificates improve security because they reduce the window of exposure if a TLS certificate is compromised. They also help remediate normal operational churn within organizations by ensuring yearly updates to identity such as company names, addresses, and active domains. As with any improvement, shortening of lifetimes should be balanced against the hardship required of certificate users to implement these changes.

What does this mean for certificate users? For your website to be trusted by Safari, you will no longer be able to issue publicly trusted TLS certificates with validities longer than 398 days after Aug. 30, 2020. Any certificates issued before Sept. 1, 2020, will still be valid, regardless of the validity period (up to 825 days). Certificates that are not publicly trusted can still be recognized, up to a maximum validity of 825 days.

DigiCert's response

DigiCert agrees that shorter lifetimes help enhance the security of the ecosystem and have the tools necessary to help our customers automate the certificate lifecycle process. They support short-lived certificates, with lifetimes as short as a few hours for customers with advanced automation capabilities. Additionally, the CertCentral platform includes the ability to schedule and automate the replacement of EV, OV and DV certificates. Using CertCentral admins may take advantage of continuous discovery, renewal notices, thorough API integration and documentation, as well as support for orchestration layers. CertCentral also allows for multi-year purchases to smooth planning and 24/7 global support enabling the best experience in the industry.

As certificate validity periods continue to decrease, automation will be a must for organizations’ ability to manage shorter lifetimes. DigiCert is prepared with the industry’s most advanced and reliable tools to help our customers take the necessary steps toward greater use of automation. GoGetSSL would implement CertCentral API till 20th March 2020.

Sectigo's response

Sectigo understands the benefits of and supports shorter certificate lifecycles. However, they also know that the currently imposed two-year limitation has already impacted SSL resellers as well as business by causing user friction, reducing Average Sales Prices (ASPs), and negatively affecting overall revenue. This new industry standard will further impact revenue for partners.

Sectigo anticipated this change and has introduced solutions to help partners maintain and even increase ASPs as well as retain the 30%+ annual revenue that is at risk due to shortened certificate lifetimes.

Website owners need to prepare

CAs will have to ensure they only issue one-year certificates after Sept. 1. This is because Apple will treat any certificates issued from roots in their platform valid for more than 398 days as a “policy violation,” meaning CAs could face disciplinary action from Apple. Such action could be as minor as a warning or as significant as CA distrust. CAs use root certificates common to all browsers to issue TLS certificates. If they didn’t, users would experience errors when accessing websites from different browsers.

Website owners that currently use two-year website certificates will only be able to obtain one-year certificates as of Sept. 1. Any certificates that are currently valid for two years and issued before Sept. 1 will remain valid.

  • When Sectigo and GoGetSSL branded certs stop issuing 2 year Public TLS certificates?

    Beginning August 19, 2020, Sectigo will only be issuing one-year (up to 398 days) TLS certificates.

  • When DigiCert (RapidSSL, Thawte, GeoTrust) stop issuing 2 year Public TLS certificates?

    Beginning September 1st, 2020, Sectigo will only be issuing one-year (up to 398 days) TLS certificates.

  • Will other certificate types be affect by this industry mandated change?

    No. This only applies to public TLS certificates. Private-root and other types of certificates (e.g. Code Signing Certificates, S/MIME certificates, etc.) will be unaffected and will have the same maximum validity that they have today.

  • No more 90-days during renewals

    The max period for new SSL will be 398 days (13 months), that means vendors will be able to add up to 30-days (MAX) during renewals OR replacements using subscription SSL.

Solution via Subscription SSL

Great news to the SSL market! Now most SSL certificates are available for 2, 3, 4, and 5-year Subscription Plans. For security reasons, your certificate will initially be issued with a maximum 13-months validity. Prior to the expiration, We will contact you to replace your certificate for another maximum duration certificate. That allows to receive great multi-year discounts.


Other news

  • SSL Certificate news

    Sectigo/Digicert restriction for Russia/Belarus

    Published: 03.03.2022  |  Category: Corporate News

    Starting on 3rd March 2022 Sectigo/Digicert decided to block all orders from Russia & Belarus

  • SSL Certificate news

    Price changes for Digicert CA

    Published: 05.01.2022  |  Category: Corporate News

    On February 4, 2022 the Digicert CA will be implementing pricing changes for some of products. As part of the commitment to delivering the best TLS/SSL certificate security in the world, they regularly review the services, products and the state of the industry.

  • SSL Certificate news

    No more File Validation for Wildcard SSL certificates

    Published: 08.11.2021  |  Category: Corporate News

    In compliance with pending policy changes brought about by CA Browser (CA/B) Forum ballot SC45; Sectigo and Digicert CAs will make updates to the circumstances under which it can employ file-based Domain Control Validation (DCV)

Fast Issuance within 3-5 minutes

Get a Domain Validation SSL certificate within just 5 minutes using our friendly and automated system. No paperwork, callback or company required.

Price Match 100% Guarantee

Found a better price? We will match it - guaranteed. Get the best possible price in the World with us. The correct place to save your money.

Free SSL 90-day for free

Try 90-day Trial SSL Certificate before the real purchase to test cert's functionality. 99.9% browser and mobile support. Free reissues.

Money Back 30-day guarantee

Customer satisfaction is our major concern. Get a full refund within 30 days for any purchase of SSL certificates with 100% guarantee.

Speed up SSL issuance

GoGetSSL® offers fastest issuance of SSL due to use of LEI code and API automation. Legal Entity Identifier (LEI) is a global identity code, just like DUNS. Learn how LEI works.

1,422,468+Total LEIs issued
224+Jurisdictions supported