Public trusted SSL uses 39 months for two purposes: certificate validity and information validation. These purposes are specified in the CA/Browser Forum Baseline Requirements.

Certificate Validity

As of April 1, 2015, certification authorities (CAs) will no longer be able to issue SSL certificates for a lifetime of longer than 39 months. In many cases, this means that your maximum will be a three year certificate. For CAs which let you choose your expiry date, they will provide a maximum that will not exceed 39 months from the issue date.

Please also note that if you have a 4 year certificate, but would like to reissue the certificate with, let’s say, a remaining validity period of 43 months, then the CA will still have to limit the reissue to 39 months.

Why limit certificate validity? The purpose is to control the certificate maximum lifetime, so the latest industry standards can be deployed into certificates in a quicker manner. We have seen the move from 1024-bit keys to 2048-bit keys and the migration from SHA-1 to SHA-2 signing. With shorter lifetimes, new standards can evolve within 39 months.

Why 39 months? The industry thought that 3 years was about the right maximum lifetime and a good period for migration. The period was adjusted to 39 months as a convenience to certificates users. When you choose to renew your 3 year certificate, you might do so two months before it expires. Some CAs will add the remaining lifetime to the 3 years purchased, which would be 38 months. Adding the extra three months will allow certificates users to renew three months before their current certificate has expired.

For Entrust users, we implemented our 39 month validity rule in December 2014. Other than the reissue item, you will not be impacted in April 2015.

Information Validation

The SSL Baseline Requirements also limit the lifetime of validated data used to issue a certificate to 39 months. For example, when you apply for a certificate, data such as your identity, domain ownership/control and authorization to issue a certificate may be verified depending on the certificate type. If you want to reissue the certificate, then the data does not have to be re-verified as long as you reissue within 39 months.

The combination of 39 months certificate validity and 39 months for validated data will support each other. For example, if you had a 60 month certificate, then wanted it reissued after 43 months, then the CA would have to perform re-validation which may delay the issuance of your certificate. Now with the 39 month validity rule, you can never put yourself in that position.

Extended Validation Certificates

Please note the 39 months rules do not apply to EV certificates. For EV certificates, the maximum validity period is 27 months and can only be issued with data that has been validated in the last 13 months.

Bruce Morton

Bruce Morton

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.