At the CA/Browser (CA/B) forum in Bratislava, Slovakia, Apple announced that as of September 1, 2020, newly issued publicly trusted TLS certificates are valid for no more than 398 days. This followed the extensive work of the CA/B Forum community to shorten the lifetime of certificates and improve security, while balancing the needs of business owners to transition to shorter validity certificates.
When will the changes take place?
Sectigo – from August 19, 2020
DigiCert – from August 27, 2020
All other CAs – starting September 1, 2020
What is a multi-year SSL certificate subscription?
To help clients benefit from shorter certificate validity periods and to make certificate management even easier, we offer TLS/SSL certificates with a multi-year plan. This new type of multi-year protection is a time-saving and cost-effective way to help reduce downtime from expired certificates and the hassle of managing shorter certificate lifecycles.
Since browsers require annual certificate validity periods, a multi-year plan combined with automation tools can save you time and money. As a result, our customers can get the longer protection periods provided by the multi-year plan, while the purchase cost drops depending on the choice of the subscription period.
How it’s working?
When you purchase an SSL certificate with a validity period from 2 years up, you will receive the first certificate valid for up to one year and the right to an unlimited number of re-issues of the certificate during the contract period – up to the period for which the certificate was ordered. Every year, we will routinely verify the organizations and domain for which the certificate has been issued throughout the lifetime of the multi-year plan.
We will start sending notifications about the need to replace the SSL certificate 30, 21, 14, 7, 3, 1 days before its expiry. A new SSL certificate will be generated and replaced automatically using the same CSR as on the initial order. However, 3 days before expiry, if the user does not replace the SSL certificate himself, a new one will be sent to the e-mail address provided during the order.
Example: There are currently four dates for all multi-year SSL certificates
- Subscription starts
i.e. the date on which the first certificate was generated
- End of subscription
i.e. the date of expiry of the certificate
- Valid from
i.e. the date from which the generated certificate is valid
- Valid until
i.e. the date by which the generated certificate is valid and it also means the date before which a new certificate should be generated for the next period of 13 months.
Why is it worth choosing a certificate in the multi-year subscription option?
- Minimized risk of certificate compromise;
- Minimized risk of using weak keys (eg SHA1);
- Provides annual identity verification to prevent potential fraud;
- Easier certificate management thanks to automation;
- Save money by purchasing a certificate for a longer subscription period.