Ballot 193 – 3 Year Certificate Validity To Be Phased Out

SSL Certificate HTTPS browser display

The CA/B Forum approved Ballot 193, which will see reduced SSL certificate lifetimes, as the maximum decreases from three years to two years. This is being done to address the security and logistic issues inherent with long-life certificates.

Given that Ballot 193 will impact how certificates are deployed and managed, we wanted to put together a quick summary of how this will impact those who use (or plan on using) 3-year SSL certificates.

The simple takeaway:

Effective March 1st, 2018 all new SSL certificates will be restricted to a maximum of 825 days (2 years + 3 months renewal buffer). This also affects existing DV (Domain Validation) certificates. Prior to this date, CAs are allowed to issue 3-year certificates. Note that some may choose to discontinue these practices early.

Shorter-term certificates (1-year) are not affected by either of these changes.

If you have already purchased any certificate with 3-year validity with an expiry date after 1st April 2018, avoid requesting a certificate reissue after Feb 2018. If you do so your certificate will be truncated to 825 days validity and you will lose the difference permanently.

To make all of this easier to understand, we have created some scenarios and a description of how these new changes will affect you. More than one of these may (or could) affect you, so please skim all the scenarios:

You want to use 3-year certificates for minimal updates to all your servers.

You can get a new 3-year certificate up until March 2018. This will allow you to have a 3-year certificate in production until 2021, but ONLY if you do not reissue your certificate after March 2018 when the new maximums take effect.

As mentioned above, there are sometimes security vulnerabilities or other industry changes out of your control which may require you to reissue a certificate. In some cases, such as the SHA-1 migration, you can choose not to reissue your certificate if you are okay with degraded treatment in web browsers.

Note that in the past, CAs have chosen to stop issuing products prior to the industry-mandated deadlines. This could mean that due to Ballot 193 some CAs may choose to stop issuing 3-year certificates before March 2018. Plan to check in later this year and do not wait till the last minute assuming a 3-year certificate will be available. If this happens we will contact our existing customers to let them know. If you use another provider/CA, check with them to know what their planned policy is.

You have an existing 3-year certificate (issued before March 2018) that needs to be reissued after March 2018.

From a technical perspective, reissuing a certificate is the same as issuing a new certificate. This means that after March 2018, ALL newly issued certificates (including reissues) must have a maximum validity of 825 days.

When you reissue your existing certificate after March 2018 it will be truncated to 825 days to meet the new requirements and you will permanently ‘lose’ the difference.

You have a DV certificate

Starting March 2018, DV certificates will now be limited to 825 days. Prior to this date, you can continue to get a 3-year certificate. However please note that some CAs may choose to stop issuing 3-year certificates before March 2018.

When you reissue a DV certificate it is already common practice to re-validate domain ownership. This is a simple practice, which can be performed in a few minutes by setting up a DNS record, uploading a file to your server via FTP, or confirming an email.

You have an EV certificate

EV certificates are not affected by either of these changes. Because they meet the highest standards for identity, EV certificates are already limited to stricter maximums for both requirements.

EV certificates have a maximum of 27 months and validity information can only be reused for a maximum of 13 months. There are currently no planned reductions to these periods, however as the CA/B Forum institutes more security-conscious requirements, EV certificates may be restricted to one year.

At this time, we are not aware of any changes to Symantec or Comodo’s product lines due to Ballot 193. However, they may choose to discontinue 3-year certificates ahead of the industry-mandated deadline, or impose other changes to deal with this shift. If and when this happens, we will notify all our customers and be in contact with those whose active certificates are effected.