In a previous blog post we reported that Google and Microsoft are encouraging Certification Authorities (CAs) to depreciate the vulnerable and outdated SHA-1 cryptographic algorithm and move to the stronger SHA-2.
Starting January 1, 2016, CAs must not issue any new SSL certificates using the SHA-1 hash algorithm. CAs may continue to sign certificates to verify OCSP responses using SHA-1 until January 1, 2017. This year also began with an important update.
According to Certificate Authority/Browser (CA/Browser) Forum guidelines 1, starting March 1, 2015, SSL certificates will be limited to a maximum validity of 39 months. The restriction affects all SSL certificate brands (Symantec, Comodo, Thawte and GeoTrust), for all four- and five-year domain validation, organization validation and wildcard certificates. However, EV certificates will not be affected by the update, as they are already limited to a two-year validity period. The update will affect the behaviour of CAs and the way browsers display certificates issued for any validity period longer than 39 months.
At SSLs.com, we will disable the ability to purchase SSL certificates for durations longer than three years by February 26, 2015 for all of our SSL brands.
What You Should Do:
- If you order a new four- or five-year SSL certificate before February 26, 2015 and reissue it any time after March 1, 2015, you will get a maximum validity of no more than 39 months. However, you will be able to reissue it again before this 39-month validity period expires, to get the additional months remaining on your SSL. And again, the duration of the certificate will not be more than 39 months. If the certificate expires with some time remaining on it from the initial purchase, no refund for the lost time will be issued.
- Any active four- or five-year certificate that is purchased before February 26, 2015 and reissued before this deadline will be unaffected.
- If you order any four- or five-year certificates before February 26, 2015 but do not activate them before February 27, 2015, they will not be available for activation anymore. You will need to contact our Support Team to get them cancelled, to obtain a full refund and order a three-year certificate instead.
Need more information? We are happy to provide 24/7 support and online chat to help you with SSL validation or any website security related questions.
1 Certificate Authority/Browser (CA/Browser) Forum, unincorporated voluntary consortium of CAs, vendors of internet browser software, OS and application suppliers who use X.509 v.3 digital certificates for SSL/TLS code signing, who develop and establish requirements for the CAs and work on improving online security for internet users.