Skip to main content
banner image
venafi logo

Life Expectancy Shortened for SSL Certificates: Validity Periods Reduced to 2 Years by CAB Forum Ballot

Life Expectancy Shortened for SSL Certificates: Validity Periods Reduced to 2 Years by CAB Forum Ballot

shorter certificate lifespan
March 28, 2017 | David Bisson

SSL certificate validity periods are essential to helping the industry move faster when it comes to adopting cryptographic algorithm changes, fixing mistakes, and dis-trusting CAs that are no longer in operation. Even more importantly, these certificate lifetime designations are harbingers of trust, as shown by the recent move by Google to reduce Symantec validity periods after a series of certificate-related infractions. But it also protects users against malicious actors. The shorter the validity period, the less chance of a certificate being stolen or compromised. 

Web browsers and CAs agree that SSL certificate validity periods help strengthen clients' trust of secure connections. Even so, consensus on how long a digital certificate's lifetime should be is elusive.

For example, Ryan Sleevi, a software engineer at Google, created a proposal named "Certificate Authority and Browser (CAB) Forum Ballot 185" that would have reduced the validity period from 39 months to just 18 months. Google and Mozilla supported the proposal, but other industry actors including most CAs declined to get behind the cause. Their main reasons for doing so were the operational and infrastructure costs they perceived the change would bring.

Robin Alden from Comodo said as much in defense of his "No" vote for the proposal:

"We are committed to security. Usable security. We represent many certificate holders who do not yet have sufficient technical expertise, manpower and/or automation to be able to cope with this proposed reduction in the maximum validity period."

Technically, Google could move ahead and set requirements for certificates that are consistent with CAB Forum Ballot 185 despite other industry actors having voted it down. SSL certificates need to be usable with all browsers. As a result, certificate authorities and other web browsers would have no choice but to comply were Google to act unilaterally.

But irrespective of Google's next move, the Chrome provider has already helped move the industry to shorter SSL certificate validity periods. Following the defeat of CAB Forum Ballot 185, another proposal called CAB Forum Ballot 193 emerged. This proposal, which has since passed, says SSL certificates will be limited to two years.

Leading up to March 2018, when CAB Forum Ballot 193 officially takes effect, organizations can purchase SSL certificates that will protect them for the current validity period of 39 months until June 2020. But they will now need to be prepared for 2-year certificates as the industry moves closer to validity periods such as those specified in CAB Forum Ballot 185.

All these changes place pressure on organizations to keep up with their SSL certificates' validity periods and to renew their certificates when they expire. Plus, if these periods change, as they did recently for Symantec, organizations need to be prepared to act quickly to replace impacted certificates. Fortunately, these organizations can invest in software that helps them identify and monitor certificates, thereby avoiding the costs and risks of expired SSL certificates.

Does your organization have what it takes to inventory certificate validity periods? 

Like this blog? We think you will love this.
Featured Blog

What is the Automated Certificate Management Environment (ACME) Protocol?

How does it work?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more