Recently we received some questions from our partners on could NicSRS still sell more than 2-year SSL certificates, as most browsers, like Apple’s Safari, Google Chrome have already adjusted the new maximum validity for SSL certificate no longer than 13 months since last year. Well, some may have heard the story, some may new to this.
Today we pick this topic out, let’s trace back the history of story and hash it out here to let our honored customers and friends much better understanding what’s the change stand for , what’s the impact to customer, reseller and why reseller like NicSRS can keep to purchase multiple years SSL certificates.
Background for SSL certificate issuing maximum validity 398 days:
To make it more exact, let’s trace back a little bit earlier. On Feb.19th, 2020, Apple announced on the 49th CA/B (CA/Browser) Forum face-to-face, starting Sept.1st, Apple’s Safari browser will limit the term of accepted SSL/TLS leaf certificates to 398 days.
As we know, in past times, the renew period of SSL/TLS certificate has been shorten from maximum five years to three years, later changed to two years. Now Apple Safari ,who is the second rank web leading browser per most statistics data, to be the first one to move on, shorten the period as 398 days (13 months). The behind theory is to focus towards customer website security and improve satisfaction, by requiring SSL/TLS certificates to be renewed in a shorter lifespan will make sure any security updates will be roll out into the wild more faster, certificate keys updated more frequently and make website more secure, in theory.
No matter which browser move the first step out, others will follow to suit. In June, Google Chrome, account for No.1 in browser market share, followed to deliver the announcement joins Apple in limiting public SSL/TLS certificates to 398 days starting Sept.1st. So it’s just the matter of time for the whole browsers fall in one line.
How the feedback from Certificate Authorities?
It’s no surprise for this change in SSL/TLS industry, as the argument has been made for several years. Google used to put the initiative on the CA/B Forum but failed on the bailout previously, now Apple picked it up and moved on, but SSL/TLS CA are aware of the trend and ready for it. Most worldwide leading commercial CA (Certificate Authority) declared their action accordingly on their website one by one earlier than Sept.01.
DigiCert, one big leading commercial CA, published notice in June: “On September 1, all Certificate Authorities are required to stop issuing 2-year TLS/SSL certificates. The new industry-allowed maximum validity will be 1 year (398 days). DigiCert is limiting the maximum certificate validity to 397 days to account for differences in time zones. This change applies to all publicly trusted SSL certificate.”
“DigiCert will offer 2-year certificates until August 27, 5:59 pm MDT (23:59 UTC) for organizations that are already validated.
DigiCert will offer 2-year certificates until August 12, 5:59 pm MDT (23:59 UTC) for organizations that need to be validated.
Any pending 2-year orders that have not been issued by August 27 will convert to a 2-year Multi-year Plan (see below), and the initial certificate will be issued with a validity of 397 days. ”
This change does not affect these types of certificates：
EV Code Signing
Instead of the stopped issuing 2-year public SSL/TLS certificates, DigiCert provided an option solution as multi-year plan coverage. This means it allows customer to place an order to multiple years in one time,and certificate will be renewed annually because the maximum of 397 days could be issued once by DigiCert SSL certificate only.
Sectigo, the other big one of commercial CA, also responded: Starting Wednesday, August 19, 2020, Sectigo will no longer be able to offer two-year public TLS certificates due to an industry-wide requirement set by Apple and Google, stating that any two-year TLS certificate issued after August 30, 2020 will be distrusted in their browsers. Any two-year TLS certificate issued before 12:00am UTC on August 19, 2020 will be valid for two-years (up to 825 days). Beginning August 19, 2020, Sectigo will only be issuing one-year (up to 398 days) TLS certificates. This only applies to public TLS certificates.
Sectigo also publish the option to customer for subscription SSL for 2- to 5- year. Customer no need to make any changes also only direct to purchase from Sectigo reseller portal like NicSRS, the subscription SSL bundles are offered to single, multi-domain and wildcard Positive SSL, Instant SSL and Comodo SSL. This mean it allows customer to place an order to more than 2-year certificate, and certificate will be renewed annually because the maximum of 398 days could be issued once by Sectigo SSL certificate per industry regulation.
How will this affect on customer?
Basically, it will be no major impact to customers, especially any SSL/TLS certificates issued prior to Sept.01 will not be affected (except to note each CA cutoff date for multi-year order place may vary). Only impact publicly trusted SSL leaf certificates after Sept.01 to place.
Luckily, according to some CA’s new option mentioned as above, we believe it’s a win-win solution to protect both CA and customer’s benefits. For example, customer not only can still enjoy the discount for multi-year order pricing, but also save the purchase time at least four times for one 5-year certificate. The long and complicated purchasing process and approval process always be headache sometimes. And CA also protects their business.
Site admins just need to know any more than 2-year certificates that are issued on or after Sept.01, will have to be renewed every year; some may further question if it will increase workload as customer have to remember to renew each certificate otherwise it will be expired. If you choose the trusted reseller to work with, it will not be an issue, like NicSRS, as they will help customer to remember the date and to send the reminder email out before 30 days to expire.
How will this affect on reseller?
TLS/SSL certificates reseller can keep selling more than two-year SSL certificates via multi-year plan coverage. Although these certificates will still have to renew and to be replaced annually per browser guidelines, reseller shall better to set the auto email to reminder customer to renew their certificate before expires, if no such function, it’s better to manual handle but may increase more workload.
How to understand to purchase more than two-year certificate on NicSRS?
In a nutshell, NicSRS platform provides all kinds of multiple years certificates from 2- to 6-year per different CA’s product for customer to purchase and follows each CA’s rule issuing certificate to customer.
Since we stand in 2021, we don’t have to consider the difference before or on and after the cut off time of Sept.01, 2020, for old orders placed before the time, it’s no affect at all; for all new multi-year SSL certificate order, it’s easy to remember the rule is: NicSRS helps to issue the maximum days for each year as 398 days only if each CA allows.
If take 2-year certificate as example: assumption as total purchasing days is 2*365=730 days, first year will to issue validity days :398 days, the next year will to renew the remaining days: 332 days;
If take 3-year certificate as example: assumption as total purchasing days is 3*365=1095 days, first year will to issue validity days: 398 days, second year will to renew validity days also: 398 days, the last year will to renew for remaining days 299 days;
Now you can easy figure out how to calculate validity days each year for 4-year, 5-year certificate per above same logic by yourselves.
Please note all explanation rights reserves by CA, NicSRS will help customer to check and provide explanation.