Where Did All the Three-year SSL Certificates Go?

Feb 27, 2018 Scott Rogers CAs

For many years our customers have found multi-year certificates to be beneficial for both cost and convenience.  In particular, site administrators value multi-year certificates because they reduce the administrative overhead required for certificate management.  (Longer expiration times mean less certificate management, less frequent key generation, and fewer potential outages due to a forgotten or flubbed renewals.)

Therefore you may have been surprised recently to see all the three-year SSL certificates disappear from the GeoCerts SSL store.  That is due to a new restriction from the CA/Browser Forum.  Over time the CA/B Forum has been phasing in tighter limits on the duration of SSL certificates in order to safeguard against potential (and presently unknown) future improvements in encryption cracking techniques.  This industry body has determined that two years is the maximum safe duration for an SSL certificate in our present cyber security environment.

Extended Validation (EV) SSL certificates have always been limited to two years, and industry observers have long seen this limit as an indicator of where the standards were heading.  Therefore your ability to purchase EV certificates is unaffected in any way.

For our Domain Validation (DV) and Organization Validation (OV) certificates, we have had to discontinue selling three-year SSL certificates.  Existing three-year certificates you got from GeoCerts or another provider are fine as they'll expire before browsers are scheduled to stop trusting them, but a new certificate sold today would not be trusted for its full, issued duration.

Note that this restriction applies to SSL only, so other kinds of digital certificate may still have longer durations, depending on the specific standards for that certificate type. For example, GeoCerts still sells three-year code signing certificates.

The good news is that two-year SSL certificates are still available and there is no indication they're going away any time in the foreseeable future.  So when you're adding a cert to your infrastructure, opt for the two-year variety and save yourself some hassle down the road.