How Long Can Digital Certificates Be Valid?
The validity periods for digital certificates are determined by their accepting organizations and usually conform to the recommendations given by the CA/Browser Forum, a voluntary group of certification authorities (CAs), vendors of Internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS, code signing, and S/MIME.
These validity periods have been adjusted over time and will most likely continue to be changed. When software or a website receives an expired certificate, it will be unable to authenticate it and will refuse to accept it, causing major operational disruption.
Below, we’ll walk through what a digital certificate is, the benefits of it, how long they’re valid, how you know when they’ve expired, how you can fix an expired certificate, and more.
What is a Digital Certificate?
A digital certificate is a file that proves the authenticity of an electronic system, such as a device, server, or user, through the use of public-key cryptography and the public key infrastructure (PKI).
By instituting this method of identification for devices and users, organizations can ensure their networks are secure. One popular type of digital certificate is an SSL certificate, which is used to confirm the authenticity of a website to a web browser.
Digital certificates contain identifiable information, such as domain name, organization, locality, and device information like IP address or serial number. They contain a copy of a public key corresponding to a digital signature from the certificate holder. This must be matched to a corresponding private key to verify it is real and the information within the certificate is accurate.
A public key certificate, issued by certificate authorities (CAs) based on this key pair, is used to sign certificates to verify the identity of the requesting device or user. Without the correct encryption key, this pairing is impossible.
Two common digital certificates that you may know are:
Unless otherwise noted, this article will discuss TLS/SSL certificates.
Benefits and How They Are Used
Digital certificates are beneficial for several types of entities that want to increase cybersecurity and meet any necessary regulations. Primary users of these certificates can be sorted into categories of individuals, organizations, and websites.
To issue these certificates, CAs require certain information to be provided to them through a certificate signing request. Once this information has been validated, it is signed with a key and the certificate is issued to the requester.
This certificate can then be employed to verify the identity of the owner, ensuring that the owner actually owns the public key during client authentication, or provide the credentials of a website. This is important for many types of digital transactions. A consumer is more likely to give their credit card information to a website that can prove its identity to their browser/endpoint. They understand implicitly that their sensitive information is protected and that the website is encrypting private data.
Digitally signed certificates are also helpful for securing Internet of Things (IoT) devices. These devices connect to many different web servers and websites to complete the automated actions for which consumers rely on them. Certificates prove the identity of these devices so they can complete their tasks without human input.
Do Digital Certificates Expire?
Digital certificates validity periods are specific to each type of certificate. Currently, code signing certificates are valid for up to three years while SSL certificates are valid for just over one year.
What Determines the Validity Period
Ultimately, the organizations that are accepting the certificates determine the validity period. These usually align with the recommendations from the CA/Browser Forum.
The CA/Browser Forum meets to vote on a variety of issues, often focusing on a set of baseline requirements for the issuance of trusted digital certificates. The CA/Browser Forum is not a governing body and has no enforcement capabilities. Acceptors have the final say and can be more or less strict than the recommendations made by the organization.
An interesting aspect of digital certificates is that the lifecycle of certificates, including the maximum validity periods, are not determined by the issuer but by the acceptor, whose concerns and policies are reflected by the CA/Browser Forum through a ballot process. Acceptors are organizations that build things, like operating systems and browsers. They are focused on protecting end-user information and not organizational processes. So companies such as Microsoft and Google would prefer to outright reject certificates that do not fit their criteria and deny access temporarily rather than simply accept all certificates.
TLS/SSL Certificate Validity Period
Starting in September of 2020, Transport Layer Security (SSL/TLS) certificates cannot be issued for longer than 13 months (397 days). This change was first announced by Apple at the CA/Browser Forum.
Prior to 2015, you could obtain the certificate with a validity period of up to five years. That was reduced to three in 2015, and then two in 2018. At the end of 2019, a ballot was proposed at the CA/Browser Forum that would have reduced validity to one year and was voted down. This decision was then overruled by a change in policy by Apple the following year.
Extended Validation (EV) certificates traditionally have different expiration dates and certificate management processes than Domain Validation (DV) or Organization Validation (OV) certificates, although in the case of SSL certificates the validity periods are the same.
How Do I Know When My TLS/SSL Certificate Expires?
All SSL certificates issued by trusted public CAs will expire 397 days from their issuance date. It is important to renew any of them BEFORE they expire. Waiting will cause serious disruptions for organizations and their customers. Certificate expiration dates are clearly communicated by their issuers and each has its own certificate renewal process.
CAs usually provide notification ahead of the expiration date, so it is best practice to renew your certificate when the first notification is received to prevent certificate outages.
Often a certificate renewal applicant will need to re-authenticate portions of the information contained within their old certificate that they would like to see within the new one. The process for this is similar to the original issuing process.
How Do I Fix an Expired Certificate?
Certificate authorities have mechanisms to revoke expired certificates. This is done through what is called a certificate revocation list (CRL), which allows a CA to keep track of the certificates that have expired or been revoked for any reason.
To renew your certificate, you may need to revalidate information and this can often be done through CA platforms like Sectigo's Certificate Manager.
Benefits of Shorter Validity Periods
Short validity periods allow for algorithm changes to have larger impacts. For example, a few years ago, SHA-1 was deprecated in favor of SHA-2. Certificates at that time had validity periods of several years, often three or more. Since hashing algorithms are chosen at the time the certificate is generated rather than used, this meant that some certificates took years before they were using the new, more secure algorithm. Encrypting data using out-of-date algorithms can leave key information exposed.
Short validity periods offer an excellent workaround for this problem because algorithm changes can be automatically implemented upon renewal, making the waiting time for adoption negligible.
Learn more about how you can easily manage your certificate lifecycle with Sectigo’s Certificate Management system.