SSL certificates and 39 months validity period: Frequently Asked Questions
SSL CERTIFICATES AND 39 MONTHS VALIDITY PERIOD: FREQUENTLY ASKED QUESTIONS
We’re getting closer and closer to the final deadline: from April 1st, no certificate issued or reissued will have a validity period greater than 39 months.
Why can’t I get a 39+ month SSL certificate anymore?
All major Certification Authorities in the world are members of the CA/Browser forum. This organisation sets rules and regulations regarding the issuance and validity of SSL certificates. In the CA/Browser forum’s latest baseline requirements, they stated that no CA should issue certificates for more than 39 months. Jeremy Rowley from Digicert wrote in a blog article the following explanation:
“Shortening the validity period to 39 months is the result of much consideration within the CA/Browser Forum to arrive at a duration that allows optimal usability while maintaining the tightest network security. A shortened validity period will significantly improve Internet security by requiring administrators to renew and verify their certificates more often. It will also make it easier for users to keep up-to-date on new advances in security and remain aware of their control over private keys.”
Why 39 months (3.25 years) and not 36 months (3 years)?
This is related to the renewal process, which is enabled from the moment your certificate has 3 months of validity remaining. For instance, if you wish to renew now your SSL certificate for 3 years while it still has 3 months of validity left, then your renewed certificate will be valid for 36 months + 3 extra months added to cover the gap between now and the certificate’s end of validity. This way you don’t lose any validity time and you don’t have to wait for the original certificate to expire before installing the new one.
What is the difference between reissuing and renewing?
An SSL certificate has a start date and an expiry date.
During the SSL certificate’s validity period, it can happen that you have to “reissue” it for various reasons: changing one of its features to fit the new standard, adding or removing SANs, because your private key has been compromised, because your server crashed, etc. You don’t pay anything when you reissue a certificate, and you can reissue it as many times as you want.
When the SSL certificate expires, you need to purchase a new one. You can ask for the same one you had, with the same features, or choose a different one. This is called renewing a certificate.
I currently have a 39+ month SSL certificate, what will happen if I reissue a certificate after April 1st 2015?
From April 1st 2015 if you reissue a certificate which contains a validity period longer than 39 months, the new validity period will be truncated, because certificates can only be reissued for the first 39 months of life.
Example: on May 1st 2015 you reissue you certificate, which is supposed to be still valid for 40 months. The reissued certificate will be capped to 39 months.
Even if I lose validity time, can I still reissue my certificate at any moment?
Only for the first 39 months of validity.
From the moment the certificate has been valid for more than 39 months, it won’t be possible to reissue it at all. If you purchased a 60 months (5 years) certificate, you won’t be able to reissue it at all during its last 21 months of validity. If you purchased a 48 months (4 years) certificate, you won’t be able to reissue it at all during its last 9 months of validity.
Is there a way to get back the validity time which was lost after reissuing?
It depends on the CA which issued your SSL certificate.
With Symantec, Thawte, GeoTrust and RapidSSL, you will be refunded for the lost months if you reissue your certificate and it is truncated.
With GlobalSign, if your SSL certificate loses validity time, you can reissue it again later and recover what you have lost during the first reissue.
Example: you purchased a 48 months (4 years) certificate on January 1st 2015. On May 1st 2015, your certificate is 5 months old, and therefore still valid for 48-5= 43 months. You reissue the certificate. It is now truncated to 39 months. You’ve just lost 4 months of validity.
4 months later (September 1st), the certificate is 9 months old. You reissue it a second time. The reissued certificate’s validity should have been 39-4=35 months. Yet, GlobalSign remembers you have lost 4 months of validity last time you reissued, and give you back these 4 months. The certificate’s validity is now 39 months again.
This is a very good workaround, but be very careful as this will only be possible if your certificate is less than 39 months old. As explained in the previous question above, you can’t reissue 39+ months old certificates.
Something is still unclear to me…
Send us your comments
Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!