The CA/Browser Forum has taken a progressive step by reducing SSL/TLS certificate lifetimes from 39 months (~1185 days) to 27 months (stated as 825 days for computational ease). The move to an 825-day maximum certificate validity period for all types of certificates (DV, OV, and EV) will be effective for all new certificates purchased on or after of March 1, 2018.
Approval for the reduced certificate lifetime to 825-days occurred just three weeks after a ballot to reduce the maximum certificate validity period to 398-days (~ 13 months) failed by a wide margin. A primary objection to 398 days was the impact it would have on the certificate subscribers. In many cases, this would require subscribers to move from their current three-year certificates to one-year certificates. That change had the potential of forcing subscribers to either triple their staff or consider automated installation for certificates in order to meet the additional resources required to maintain valid certificates.
Historically, there was no limit on certificate validity periods. The 2012 release of the CA/Browser Forum Baseline Requirements set the maximum lifetime to 60 months with a requirement to reduce the lifetime to 39 months in 2015.
Today most certificates are issued for 1, 2 or 3-year terms. The validity period was set at 39 months to allow 3 year certificates to be renewed up to 3 months early and provide overlapping validity periods to eliminate outage times.
825-days reduces the validity to about 2-years and maintains the 3 month overlap. Certification Authorities (CAs) and subscribers can also take advantage and offer/request certificates with validity for up to 825-days. Also note 825-days is much easier to measure than 39 or 27 months. This allows for easier auditing and browser requirement enforcement.
Why Change the Certificate Lifetime?
The goal of reducing the lifetime is it allows certificates to be changed more frequently. The result of more frequent changes enables the following types of certificates to expire more often and have less impact on the SSL/TLS ecosystem:
- Reduces the number of certificates using older cryptographic standards; for example moving from 1024 to 2048-bit RSA key length or moving from SHA-1 to SHA-2 hashing algorithm
- Mitigates certificates that are non-compliant with the CA/Browser Forum Baseline Requirements or EV Guidelines
- Minimizes active certificates issued due to fraudulent requests and activities
- Decreases the number of mis-issued certificates
- Eliminates certificates with information which has been verified to older standards
Reducing the certificate lifetime is a more gentle process than revocation, which is usually reserved for bad certificates that may have been mis-issued or issued due to fraudulent activities.
The problem with reducing the validity period is the increase in pressure on the certificate subscribers to manage these reduced validity period certificates. 825-days is the compromise period agreed to through consensus of CAs and browsers to increase security, but also to allow subscribers to adjust to their increased certificate management load.
CAs and browsers should consider evaluating and improving certificate revocation. Perhaps bad certificates could be mitigated immediately from the ecosystem with deployment of new revocation practices such as OCSP Must-staple or a global revocation system.
In the meantime, hopefully the new 825-day lifecycle will give subscribers enough time to adequately manage their certificates without placing an undue burden on internal resources.
Update March 24, 2017: CA/Browser Forum Ballot 193 – 825-day Certificate Lifetimes