August, 28 2020

End-of-life for 2-year SSL/TLS certificates

This is to announce that CyberSSL will only be able to issue public SSL / TLS certificates with a lifespan of 398 days (a bit over 1 year). The change takes place starting with 1 September 2020.

All SSL / TLS certificates, purchased after the indicated date, will only be valid for 1 year (398 days). This decision affects public SSL / TLS certificates from all issuers, purchased through CyberSSL.

All public certificates, purchased and installed before the date, will expire on their initial expiration date, and will be treated as valid by the major browsers.

Other types of certificates
The maximum validity periods for other types of certificates (Code Signing Certificates, S/MIME certificates, etc.) is not affected and will not change.

Why is SSL lifespan reduced?
From our side, we're following a decision from the Official CA/Browser Forum to promote shorter validity periods for SSL certificates. The major web browsers (Chrome, Safari, Opera, Firefox) will mark a connection over SSL as untrusted in case an SSL, issued after 1 September 2020, is used. Initially it is Apple's decision to longer trust SSL/TLS certificates with validity more than 398 days which is 1 year + renewal.

What's next
The general tendency is to make the validity terms of public SSL / TLS certificates as short as 90 days. The primary argument behind the intention is the following — having shorter lifespans for SSL certificates would:
• force site administrators re-install the certificates more often,
• which in its turn means minimizing potential loss happening through compromised keys or mis-issued certificates since they'll be used for a shorter period of time;
• which also means administrators would need to seek automated solutions for periodic SSL re-installations,
• that would also be good for ensuring most of the web-sites use an SSL certificate and secured connection.

Conclusions
So, the effects the browser producers (such as Mozilla, Opera, Google) and the CA/Browser Forum intend to achieve through shorter validity periods of SSL certificates seem to generally be feasible and justified. 
It's expected the validity period of SSL certificates will become even shorter in the coming years.
It makes sense to start integrating automated solution for SSL management.
Re-issuing and re-installation of all newly requested SSL certificates once a year comes into effect.