WOOF! Newsletter

February 08, 2018

Say Goodbye to 3-Year SSL Certificates

SSL Certificates protect your website, email, and more. In the past you could buy them for a 3-year term called a 'lifetime.' The authorities controlling SSL certificate distribution voted to reduce that to 825 days. Here's why, and what it means for your website's security.

For the second time in the history of the Internet, the authorities governing SSL certificates have announced that the maximum certificate validity period is now 825 days down from the previous length of 3 years.  This change goes into effect March 1, 2018.

This decision affects ALL websites and web applications using SSL certificates.  In this WOOF! we're going through the decision's factors, what effect it will have, and what (if anything) you need to do.

Who Governs SSL Certificates?

First, a brief reminder: SSL certificates (or "certs") are a method of securing websites. The cert encrypts the connection between your device and the website, shielding it from the rest of the Web. An SSL-secured website or app displays the HTTPS prefix in its URL, instead of HTTP.

SSL Certificates are issued & regulated by a consortium of private entities, who publish and verify the certificates. Hence they're called "Certificate Authorities."

Here's a link to the Certificate Authorities' Ballot 193: Ballot 193 – 825-day Certificate Lifetimes: CA/Browser Forum (March 17, 2017)

The Certificate Authorities and Web browsers voted to change the maximum lifetime of an SSL certificate. 100% of CAs and 100% of browsers voted for the new cert lifetimes (4 organizations abstained - ANF Autoridad de Certificación, Secom, Actalis, and Mozilla).

How an 825-Day SSL Cert Lifetime Affects Business Websites

This vote changes the interval for buying or renewing SSL certs. It moves the maximum lifetime for an SSL cert from 3 years to 825 days (about 2 years and 3 months).

It doesn't mean your SSL certificate becomes less secure. Or that you need to rush out and buy a new one. Your website should continue running without any problems. This only affects its SSL renewal interval.

Why Change SSL Certificate Lifetimes?

The main reason behind this change is to improve cybersecurity. Now all SSL cert users (i.e. most websites) must update their certificates sooner to the latest standards.

The new lifetime reduces the number of certificates using older cryptographic standards. For example, moving from 1024 to 2048-bit RSA key length or moving from SHA-1 to SHA-2 hashing algorithms. Older cryptographic standards = Easier for cybercriminals to hack.

Essentially, this requires websites to move off old security standards and onto new ones. Strengthening the Web's overall security.

How It Applies to You/Your Website

If you have an SSL cert on your site already, you don't need to do anything. Existing certs will last until their pre-existing deadline. When you need to renew an SSL cert in the future (or buy a new one), it will have a maximum 825-day lifetime.

Google does factor HTTPS into its search rankings. If your website doesn't have an SSL certificate, it gets an SEO penalty. If your website does have an SSL Certificate, it gets an SEO benefit. See our HTTPS Tech Tip from 2017 for more details.

Shorter SSL Certificate Lifetimes Mean Faster Adoption of New Security Rules

This action isn't a big surprise. Over time, it will end up improving the entire Web's cybersecurity protection. As more businesses adopt HTTPS (and they all should soon!), newer SSL certificates will introduce new protections to each. Bolstering the Web site by site.

As we've done for our customers in the past, we'll continue to send reminders when your SSL cert approaches its expiration date.


Need an SSL certificate added to your site?  Email us at support@planetmagpie.com for help.