End of life for 2-year SSL certificates

End of 2-Year public SSL/TLS certificates

Improving SSL/TLS certificate security by moving to 1-year certificates required by all CA/B Forum Certificate Authorities
August 27, 2020: DigiCert CA and Sectigo CA will stop issuing 2-year public SSL/TLS certificates

On September 1, 2020, the industry says good-bye to 2-year public SSL/TLS certificates. Going forward Certificate Authorities (CA) can only issue public DV, OV, and EV certificates with a maximum validity of 398 days (approximately 13 months). 

To prepare for this industry change, our partner CAs - DigiCert, GeoTrust, Sectigo and PositiveSSL - will stop issuing 2-year public SSL/TLS certificates on August 27, 2020 5:59 pm MDT (23:59 UTC).

Additionally, the CAs will implement a 397-day maximum validity for all public DV, OV, and EV SSL/TLS certificates. This is a safeguard to account for time zone differences to avoid issuing a public SSL/TLS certificate that exceeds the new 398-day maximum validity requirement.

This industry change does not affect these types of certificates:

  • Private SSL/TLS
  • Client
  • S/MIME
  • Code Signing
  • EV Code Signing
  • Document Signing

What do I need to do to?

To prepare for these changes and make sure you get needed 2-year public SSL/TLS certificates before the August 27 deadline:

  • Take inventory of your current certificates and any new certificates you may want with a 2-year validity.
  • Order any 2-year certificates that you need before August 13.
  • Make sure to respond to any domain and organization validation requests in a timely manner.

What happens if my 2-year public SSL/TLS certificate is not issued by the August 27 deadline?

For pending public SSL/TLS certificate orders with a validity greater than 397 days:

  • The first certificate for the order will be issued with a maximum validity of 397 days.
  • The order will keep the validity from the purchase.
    For example, if you ordered a 2-year certificate, the order will be valid for 24 months.
  • To use the remaining coverage on the order, you will need to reissue the certificate during the order's final 397 days.
    Each order comes with unlimited certificate reissues at no cost.

How does this affect my existing 2-year public SSL/TLS certificates?

This change doesn’t affect your active 2-year certificates issued before August 28, 2020. These certificates will continue to be trusted until they expire.

For example, on August 10, 2020, you purchase a 2-year OV SSL/TLS certificate. We issue the certificate on August 12, 2020. When the certificate nears its expiration date, instead of renewing it with another 2-year SSL/TLS certificate, you’ll need to renew it with a 1-year certificate.

How does this affect my 2-year certificate reissues and duplicate issues?

The shortened maximum certificate lifecycle period of 397 days will impact public 2-year SSL/TLS certificates when reissued or duplicated.

The following types of actions require you to reissue a certificate:

  • Adding a domain to a certificate
  • Removing a domain from a certificate
  • Swapping out a domain on a certificate
  • Changing organization information (name, address, phone number, etc.)
  • Duplicating a certificate
  • Replacing your private key /public key pair

After the August 27 deadline, 2-year public SSL/TLS certificates reissues and duplicates will have a maximum validity of 397 days. This means some reissued certificates will expire before the order expires.

To use the remaining validity included with the order, reissue your certificates during the order's final 397-day period. You may request reissues with a validity of up to 397 days or the expiration of the order, whichever is soonest.

Here's an example of reissuing a 2-year public SSL/TLS certificate after August 27
  1. On August 1, 2020 (before the August 27 deadline), we issued your 2-year multi-domain certificate—this is the original certificate.

    This certificate:

    • Has a maximum validity of 825 days
    • Expires on November 1, 2022 at the same time the order expires
  1. On November 1, 2020 (new 397-day maximum validity change implemented), you reissue the certificate.

    This reissued certificate:

    • Has a maximum validity of 397 days
    • Expires on December 1, 2021
    • Expires 406 days before the order expires
      (order expires on November 1, 2022)
  1. On January 1, 2021, you reissue the certificate.

    This reissued certificate:

    • Has a maximum validity of 397 days
    • Expires on February 1, 2022
    • Expires 395 days before the order expires
      (order expires on November 1, 2022)
  1. On April 1, 2022, you reissue the certificate a last time.

    This reissued certificate:

    • Has a validity of 337 days
    • Expires on November 1, 2022 at the same time the order expires

If you need to reissue a 2-year public SSL/TLS certificate and have questions about what to expect when the certificate is reissued, please contact your account representative or our Support team before you reissue it.