CA/Browser Forum Passes Ballot 193 – 825 day Certificate Lifetimes

CA/Browser Forum Passes Ballot 193 – 825 day Certificate Lifetimes

The Certificate Authority Browser Forum, Also known as CA/Browser Forum, is a voluntary consortium of Certificate Authorities such as Symantec, Digicert, Comodo, and tech Operating System makers such as Apple, Mozilla, Microsoft, etc.. decide the fate of security on the internet. The CA/Browser Forum purpose is to be proactive, and keep the internet secure for users and businesses all over the world.

The CA/Browser Forum recently passed Ballot 193 will effect all Certificate Authorities and those who manage SSL/ TLS Certificates. Effective almost immediately (April 22, 2017).

  • Effective April 22, 2017
    Reduces the length of time that authenticate information can be re-used to authenticate subsequent certificate, from 39 months (3 years 2 months) to 27 months (825 days / 2 years) New, Renewal and Replacement certificates will be subject to this change. This seems a little abrupt and might be changed in order for the CA’s to prepare for this new standard but should not effect the majority of clients while this transition is taking place.
  • Effective March 1, 2018
    Decreases the maximum validity period of SSL/TLS Certificate to 27 months (825 days). Eventually there will be no more three year option. No certificate after this date can have a validity passed 27 months.

Things to know:

Authentication:

  • Existing certificates:
    • Are not effected. The authentication work is already complete and no action is necessary.
  • Reissue (replacement) of your SSL Certificate:
    • DV (Domain Validated Certificates) –
      DV certificate reissues such a Quick SSL or Rapid SSL Products currently undergo domain validation; this there is no impact to DV certificate reissues. Reissued 3rd certificates after March 1 2018
    • OV (Organization Validation) –
      Some OV reissues for products like True ID or Secure Site may not instantly issue in the event that the authenticated data used to approve the original certificate is older than 825 days or is otherwise no longer valid. In some cases, reissues will undergo authentication, though many reissue will continue to be instantly issued. Typically 3 year certificate may be effected by this revalidation and not get automatically reissued.
    • EV (Extended Validation) –
      EV reissues are not impacted due to their already 2 year 825 validity day nature.
  • Renewal certificates:
    • Certificate renewal will continue to leverage existing authentication and automation whenever possible, and in many cases will be quickly approved.
    • With the shorter validity of authentication data (27 months), renewals will require more frequent authentications.
    • With the shorter validity period network admins will have visit their server & networks more frequently for CSR generation and SSL installation.

Technical:

  • Reissues/Replacements:
    • Since the technical validity of a certificate after the date of March 1, 2018 can only have a 27 month / 825 day lifespan if for whatever reason a reissue is needed the certificate may have time removed from their certificate.
      Example: If an Admin gets a new/renewed 3 year certificate on February 29th 2018 and needs to perform a reissue due to a technical matter we could see a certificate cut to 27 months instead of 37 months.
      Note: Due to this technicality Acmetek will be proactive and will put a stop to 3 year certificate enrollments to closer the deadline approaches to prevent this scenario the best we can.

To keep up with the progress of technology the CA/Browser Forum is always coming up with new industry standards. These standards guide and move the internet to a more safer and secure environment for its users. Information regarding the CA/B Forum on is always made publically available at cabforum.org


Lead Tech Engineer, Acmetek
Dominic Rafael