SSL CertificatesTrust solutions
AnimatedSite Seal Logo GoGetSSL Site Seal
Better Rankingin Google Search Google Security
Domain SSLBy GoGetSSL from $39.00 /yr
AnimatedSite Seal Logo GoGetSSL Site Seal
Better Rankingin Google Search Google Security
Domain SSLBy GoGetSSL from $39.00 /yr
LEI CODE
Get your business identified and transparent globally
Minimaze financial vulnerabilities
Boost OV/EV SSL validation process
$69.00 per year Get LEI Code

Three, Two, One, Liftoff on One-Year TLS Certificates

At the CA/Browser (CA/B) Forum in Bratislava, Slovakia, this week, Apple announced that beginning Sept. 1, newly issued publicly trusted TLS certificates are valid for no longer than 398 days. This followed a long history of the CA/B Forum community working to reduce certificate lifetimes and improve security while balancing the needs of business owners in transitioning to shorter validity certificates.

In August 2019, CA/B Forum Ballot SC22 was introduced by Google to reduce TLS certificate validity periods to one year. CAs reviewed this proposal with their customers and produced thousands of comments from users, which mostly showed opposition, due to the additional work required by IT teams to handle shorter validity periods. The ballot failed in the Forum, which meant certificate maximum lifetimes remained at two years.

At one time, certificates were offered with a maximum validity of three years. A few years ago, they were reduced to two years. Fast forward to this week’s Apple announcement, which ultimately does what ballot SC22 failed to do: reduce certificate lifetimes to one year.

Why did Apple unilaterally decide to enforce a shorter certificate lifetime? Their spokesperson said it was to “protect users.” We know from prior CA/B Forum discussions that longer certificate lifetimes proved to be challenging in replacing certificates, in the case of a major security incident. Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats. Short-lived certificates improve security because they reduce the window of exposure if a TLS certificate is compromised. They also help remediate normal operational churn within organizations by ensuring yearly updates to identity such as company names, addresses, and active domains. As with any improvement, shortening of lifetimes should be balanced against the hardship required of certificate users to implement these changes.

What does this mean for certificate users? For your website to be trusted by Safari, you will no longer be able to issue publicly trusted TLS certificates with validities longer than 398 days after Aug. 30, 2020. Any certificates issued before Sept. 1, 2020, will still be valid, regardless of the validity period (up to 825 days). Certificates that are not publicly trusted can still be recognized, up to a maximum validity of 825 days.

DigiCert's response

DigiCert agrees that shorter lifetimes help enhance the security of the ecosystem and have the tools necessary to help our customers automate the certificate lifecycle process. They support short-lived certificates, with lifetimes as short as a few hours for customers with advanced automation capabilities. Additionally, the CertCentral platform includes the ability to schedule and automate the replacement of EV, OV and DV certificates. Using CertCentral admins may take advantage of continuous discovery, renewal notices, thorough API integration and documentation, as well as support for orchestration layers. CertCentral also allows for multi-year purchases to smooth planning and 24/7 global support enabling the best experience in the industry.

As certificate validity periods continue to decrease, automation will be a must for organizations’ ability to manage shorter lifetimes. DigiCert is prepared with the industry’s most advanced and reliable tools to help our customers take the necessary steps toward greater use of automation. GoGetSSL would implement CertCentral API till 20th March 2020.

Sectigo's response

Sectigo understands the benefits of and supports shorter certificate lifecycles. However, they also know that the currently imposed two-year limitation has already impacted SSL resellers as well as business by causing user friction, reducing Average Sales Prices (ASPs), and negatively affecting overall revenue. This new industry standard will further impact revenue for partners.

Sectigo anticipated this change and has introduced solutions to help partners maintain and even increase ASPs as well as retain the 30%+ annual revenue that is at risk due to shortened certificate lifetimes.

  • Sectigo Subscription SSL packages offer bundles of maximum-duration certificates allowing customers to obtain continuous certificate coverage for up to five years. Since introducing Subscription SSL in 2019, Sectigo now renews multi-year certificate customers for their preferred duration of three-years or longer and it has resulted in a 37% revenue uplift!
  • Sectigo Web Security Platform expands security coverage beyond encryption and consolidates 8 web security features into a single vendor. This will result in reduced operating expenses, shortened time to market for new products and frictionless upsell opportunities, allowing our partners to increase their ASP per customer and increase overall revenue.
  • Certificate Automation. Sectigo has always been at the forefront of automating certificate provisioning, and our recently-updated AutoApplyOrder API not only enables the easy automation of frequent certificate renewals but adds the ability to request all of the above new products and solutions in one standard interface.
 

Other news

  • SSL Certificate news

    No more 2-year SSL

    Published: 22.02.2020  |  Category: Corporate News

    Starting on 1st September 2020 there will be no more 2-years SSL certificates according to Apple/Safari decision. The max period will be 15-months during renewal. The changes affect all global CA (vendors).

  • SSL Certificate news

    4-year SSL back via Subscription

    Published: 11.10.2019  |  Category: Corporate News

    4-year SSL certificates back via the SSL subscription feature. All multi-year discounts are available too. Check our SSL Wiki for more details.

  • SSL Certificate news

    Chrome 77 removes Green Address Bar

    Published: 28.09.2019  |  Category: Corporate News

    Google Chrome version 77 is released now for Windows, Linux, macOS, ChromeOS, IOS and Android users. The new release removed the UI indicator for Extended Validation (EV) certificates from the browser's address bar, it is also known as "Green Address Bar".

Fast Issuance within 3-5 minutes

Get a Domain Validation SSL certificate within just 5 minutes using our friendly and automated system. No paperwork, callback or company required.

Price Match 100% Guarantee

Found a better price? We will match it - guaranteed. Get the best possible price in the World with us. The correct place to save your money.

Free SSL 90-day for free

Try 90-day Trial SSL Certificate before the real purchase to test cert's functionality. 99.9% browser and mobile support. Unlimited prolongation.

Money Back 30-day guarantee

Customer satisfaction is our major concern. Get a full refund within 30 days for any purchase of SSL certificates with 100% guarantee.

Speed up SSL issuance with LEI

GoGetSSL™ now offering fastest issuance of SSL on planet due to use of LEI code and API automation. Legal Entity Identifier (or LEI) is a global identity code, just like DUNS. Learn now how LEI may help you.

LEI codes starting at
$69.00
Check LEI offer
1,366,468+Total LEIs issued
224+Jurisdictions supported