This FAQ answers some of the most common questions regarding the 1-year (397) days maximum SSL/TLS certificate validity change:
Overview
What’s changing?
Due to changes in Apple and Google Root Store Policies, as of September 1, 2020, newly issued SSL/TLS certificates with a validity period greater than 13 months (397 days) are prohibited by policy and will not be trusted.
Therefore, as of August 31, 2020, TRUSTZONE will stop issuing 2-year publicly trusted SSL/TLS certificates.
In summary, as of August 31, 2020:
-
TRUSTZONE will stop issuing 2-year publicly trusted SSL/TLS certificates
-
The maximum validity for all newly issued or reissued publicly trusted SSL/TLS orders will be 13 months (or 397 days).
-
The maximum validity of 13 months (or 397 days includes QWACs
-
6-month certificate orders will be changed to have a maximum validity period of 7 months (or 214 days)
Note: We will continue to offer multi-year validity for Intranet SSL (privately trusted SSL/TLS).
When will this change go into effect?
August 31, 2020.
Existing 2 Year SSL/TLS Certificates
I have an existing SSL/TLS certificate with 2-year validity. Will it be trusted after September 1, 2020?
Yes, TLS certificates issued before September 1, 2020, with validity greater than 397 days will continue to be trusted until they expire.
What happens when I reissue an existing 2-year TLS/SSL certificate after this change goes into effect?
If you reissue a 2-year certificate after September 1, we will be required to limit the validity to 397 days. You can reissue the Certificate as needed in the future free of charge to reclaim the original validity time (see example below). This works the same way it did in 2018 when we went from 3-year maximum validity down to 2 years.
Let’s look at an example:
- A 2-year SSL/TLS certificate is ordered and issued on August 1, 2020. It’s valid until August 1, 2022.
- You reissue the certificate on September 15, 2020 (after the new maximum validity change has gone into effect). TRUSTZONE then has to truncate the reissued certificate for 397 days, changing the expiration date to October 17, 2021.
- When the reissued Certificate is within 397 days of original expiration, you can reissue the certificate again to claim the remaining validity (the validity that was truncated).
- You can reissue as many times as needed to regain the original expiration date (in this example August 1, 2022).
Please note that the EV reissue process is different due to the EV Guidelines (EVGL) requirements for reissuing certificates. While you can still reissue your certificates, they will be queued for manual review and we’ll need to verify that all validations are up to date before we can release it.
Impact on renewals and transfers
Can I still renew early or transfer a certificate from a competitor to receive a rollover/bonus time?
Effective August 31, 2020, when you order a 1-year SSL/TLS certificate, TRUSTZONE will automatically provide customers with the maximum validity of 397 days. Essentially, we are providing customers with a 1-year SSL/TLS certificate plus 30 days bonus automatically. This applies to new as well as renewal orders and provides maximum validity for our customers’ benefit.
When switching from a competitor to TRUSTZONE, the validity change means that we can no longer provide rollover time.
For early renewals: Given we can only provide a maximum of 397 days, we recommend that you renew your certificate within 30 days of expiration to avoid losing any rollover time. We will continue to allow customers to renew up to 90 days earlier; however, you will only receive a 397-day certificate. We will also adjust renewal email notifications to start at 30 days prior to expiration (instead of 90 days prior to expiration).