The validity periods for digital certificates are determined by their accepting organizations and always conform to the requirements given by the CA/Browser Forum, a voluntary group of certification authorities (CAs), vendors of Internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS, code signing, and S/MIME.
Certificate lifespans have been adjusted over time and will soon be adjusted agin. When software or a website receives an expired certificate, it will be unable to authenticate it and will refuse to accept it, causing major operational disruption.
Table of Contents
1. What is a digital certificate?
2. The benefits of digital certificates and how they are used
3. Google's proposal for a 90-day validity period
4. Benefits of shorter validity periods
5. How do I fix an expired certificate?
6. Prepare for shorter validity periods and leverage automation with Sectigo
Below, we’ll walk through what digital certificates are, their benefits, how long they're valid, how you know when they've expired, how you can fix an expired certificate, and the upcoming 90-day validity period adjustment.
What is a digital certificate?
A digital certificate is a file that proves the authenticity of an electronic system, such as a device, server, or user, through the use of public-key cryptography and the public key infrastructure (PKI).
By instituting this method of identification for devices and users, organizations can ensure their networks are secure. One popular type of digital certificate is an SSL/TLS certificate, which is used to confirm the authenticity of a website to a web browser.
Digital certificates contain identifiable information, such as domain name, organization, locality, and device information like IP address or serial number. They contain a copy of a public key corresponding to a digital signature from the certificate holder. This must be matched to a corresponding private key to verify it is real and the information within the certificate is accurate.
A public key certificate, issued by certificate authorities (CAs) based on this key pair, is used to sign certificates to verify the identity of the requesting device or user. Without the correct encryption key, this pairing is impossible.
These common digital certificates that you may know are:
- TLS/SSL Certificates
- Code Signing Certificates
- S/MIME Certificates
Unless otherwise noted, this article will discuss SSL/TLS certificates.
The benefits of digital certificates and how they are used
Digital certificates are beneficial for several types of entities that want to increase cybersecurity and meet any necessary regulations. Primary users of these certificates can be sorted into categories of individuals, organizations, and websites.
To issue these certificates, CAs require certain information to be provided to them through a certificate signing request. Once this information has been validated, it is signed with a key and the certificate is issued to the requester.
This certificate can then be employed to verify the identity of the owner, ensuring that the owner actually owns the public key during client authentication, or provide the credentials of a website. This is important for many types of digital transactions. A consumer is more likely to give their credit card information to a website that can prove its identity to their browser/endpoint. They understand implicitly that their sensitive information is protected and that the website is encrypting private data.
Digitally signed certificates are also helpful for securing Internet of Things (IoT) devices. These devices connect to many different web servers and websites to complete the automated actions for which consumers rely on them. Certificates prove the identity of these devices so they can complete their tasks without human input.
Do digital certificates expire?
Digital certificates validity periods are specific to each type of certificate. Currently, code signing certificates are valid for up to three years while SSL certificates are valid for just over one year.
What determines the validity period
Ultimately, the organizations that are accepting the certificates determine the validity period. These usually align with the recommendations from the CA/Browser Forum.
The CA/Browser Forum meets to vote on a variety of issues, often focusing on a set of baseline requirements for the issuance of trusted digital certificates. The CA/Browser Forum is not a governing body and has no enforcement capabilities. Acceptors have the final say and can be more or less strict than the recommendations made by the organization.
An interesting aspect of digital certificates is that the lifecycle of certificates, including the maximum validity periods, are not determined by the issuer but by the acceptor, whose concerns and policies are reflected by the CA/Browser Forum through a ballot process. Acceptors are organizations that build things, like operating systems and browsers. They are focused on protecting end-user information and not organizational processes. So companies such as Microsoft and Google would prefer to outright reject certificates that do not fit their criteria and deny access temporarily rather than simply accept all certificates.
Current SSL/TLS certificate validity period
Starting in September of 2020, Transport Layer Security (SSL/TLS) certificates cannot be issued for longer than 13 months (397 days). This change was first announced by Apple at the CA/Browser Forum.
Prior to 2015, you could obtain the certificate with a validity period of up to five years. That was reduced to three in 2015, and then two in 2018. At the end of 2019, a ballot was proposed at the CA/Browser Forum that would have reduced validity to one year and was voted down. This decision was then overruled by a change in policy by Apple the following year.
Extended Validation (EV) certificates traditionally have different expiration dates and certificate management processes than Domain Validation (DV) or Organization Validation (OV) certificates, although in the case of SSL certificates the validity periods are the same.
How do I know when my SSL/TLS certificate expires?
SSL certificates expire at maximum 398 days from their issuance date, but most CAs will set their expiration date sooner, offentimes around 395 days. It is important to renew any of them BEFORE they expire. Waiting will cause serious disruptions for organizations and their customers. Certificate expiration dates are clearly communicated by their issuers and each has its own certificate renewal process.
CAs usually provide notification ahead of the expiration date, so it is best practice to renew your certificate when the first notification is received to prevent certificate outages.
Often a certificate renewal applicant will need to re-authenticate portions of the information contained within their old certificate that they would like to see within the new one. The process for this is similar to the original issuing process.
Google's proposal for a 90-day validity period
In early March 2023, during the CA/B Forum face-to-face meetings, Google announced its intention to reduce the maximum validity period for SSL certificates from 398 days to 90 days. This shift is set to revolutionize digital certificate management and it’s crucial that enterprises begin preparing now as current policies and practices surrounding certificate management will need to be reevaluated and updated to align with this new standard.
Why the change?
The primary motivation behind Google's proposal is to improve security. Shorter certificate lifespans mean that certificates will need to be renewed more frequently, ensuring that encryption standards remain up-to-date and vulnerabilities are promptly addressed. This change reduces the window of opportunity for attackers to exploit compromised certificates, significantly improving overall cybersecurity. Frequent renewals also mean that any weaknesses in the encryption algorithms or key management practices can be swiftly corrected, maintaining the highest level of protection for sensitive data.
Automated certificate renewal will become more important than ever
With the proposed shorter validity periods, the importance of automating certificate renewals becomes paramount. Manual renewal processes can lead to errors and lapses, which can cause significant disruptions and security risks for businesses. With the renewal process happening much more frequently, these risks will increase. Automated systems help ensure that renewals are completed accurately and on time, reducing the chances of expired certificates causing service interruptions.
Automation also frees up IT resources, allowing teams to focus on more critical tasks rather than the repetitive and time-consuming process of manual SSL certificate renewals. Additionally, automated Certificate Lifecycle Management (CLM) tools can provide real-time monitoring and alerts, ensuring that organizations are always aware of upcoming expirations and can act promptly.
Incorporating automation into certificate renewal processes not only improves efficiency but also enhances security. Automated systems are less prone to human error and will consistently apply the latest security practices and policies. This is especially crucial with shorter validity periods, where the frequency of renewals increases and the margin for error narrows.
Benefits of shorter validity periods
Short validity periods allow for algorithm changes to have larger impacts. For example, a few years ago, SHA-1 was deprecated in favor of SHA-2. Certificates at that time had validity periods of several years, often three or more. Since hashing algorithms are chosen at the time the certificate is generated rather than used, this meant that some certificates took years before they were using the new, more secure algorithm. Encrypting data using out-of-date algorithms can leave key information exposed.
Short validity periods offer an excellent workaround for this problem because algorithm changes can be automatically implemented upon renewal, making the waiting time for adoption negligible.
How do I fix an expired certificate?
Certificate authorities have mechanisms to revoke expired certificates. This is done through what is called a certificate revocation list (CRL), which allows a CA to keep track of the certificates that have expired or been revoked for any reason.
To automatically renew your SSL certificates, you may need to revalidate information and this can be done through Certificate Lifecycle Management platforms like Sectigo's Certificate Manager or SCM Pro. To learn more about how our platforms work or purchasing new SSL certificates, contact our team at Sectigo today.
Prepare for shorter validity periods and leverage automation with Sectigo
Prepare for 90-day SSL certificates now to avoid issues in the near future. Ensure seamless transitions to shorter validity periods, mitigate risks of service disruptions, and maintain robust security for your organization. Contact Sectigo today to discover how we can help your enterprise streamline certificate renewal processes and uphold compliance effortlessly.
Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!
Related posts:
Google announces intentions to limit TLS certificates to 90 days: Why automated CLM is crucial
How businesses should prepare for shorter SSL/TLS certificate validity periods
2024 prediction: no organization will be immune to the challenges of shrinking digital certificate lifespans
