Relevant Items

SSL and 39 Months

Public trusted SSL uses 39 months for two purposes: certificate validity and information validation. These purposes are specified in the CA/Browser Forum Baseline Requirements. Certificate Validity As of April 1, 2015, certification authorities (CAs) will no longer be able to issue SSL certificates for a lifetime of longer than 39 months. In many cases, this means that your maximum will be a three year certificate. For CAs which let you choose your expiry date, they will provide a maximum that will not exceed 39 months from the issue date. Please also note that if you have a 4 year certificate, but would like to reissue the certificate with, let’s say, a remaining validity period of 43 months, then the CA will still have to limit the reissue to 39 months. Why limit certificate validity? The purpose is to control the certificate maximum lifetime, so the latest industry standards can be deployed into certificates in a quicker manner. We have seen the move from 1024-bit keys to 2048-bit keys and the migration from SHA-1 to SHA-2 signing. With shorter lifetimes, new standards can evolve within 39 months. Why 39 months? The industry thought that 3 years was about the right maximum lifetime and a good period for migration. The period was adjusted to 39 months as a convenience to certificates users. When you choose to renew your 3 year certificate, you might do so two months before it expires. Some CAs will add the remaining lifetime to the 3 years purchased, which would be 38 months. Adding the extra three months will allow certificates users to renew three months before their current certificate has expired. For Entrust users, we implemented our 39 month validity rule in December 2014. Other than the reissue item, you will not be impacted in April 2015. Information Validation The SSL Baseline Requirements also limit the lifetime of validated data used to issue a certificate to 39 months. For example, when you apply for a certificate, data such as your identity, domain ownership/control and authorization to issue a certificate may be verified depending on the certificate type. If you want to reissue the certificate, then the data does not have to be re-verified as long as you reissue within 39 months. The combination of 39 months certificate validity and 39 months for validated data will support each other. For example, if you had a 60 month certificate, then wanted it reissued after 43 months, then the CA would have to perform re-validation which may delay the issuance of your certificate. Now with the 39 month validity rule, you can never put yourself in that position. Extended Validation Certificates Please note the 39 months rules do not apply to EV certificates. For EV certificates, the maximum validity period is 27 months and can only be issued with data that has been validated in the last 13 months.

Entrust Datacard