End of 2-Year DV, OV, and EV public SSL/TLS certificates

Improving SSL/TLS certificate security by moving to 1-year certificates

Industry says good-bye to 2-year public SSL/TLS certificates

On September 1, 2020, the industry stopped issuing 2-year public SSL/TLS certificates. The new maximum validity for public DV, OV, and EV SSL/TLS certificates is 398 days (approximately 13 months). See One-Year Public-Trust SSL Certificates: DigiCert’s Here to Help.

DigiCert stopped issuing 2-year public SSL/TLS certificates on August 27, 2020 6:00 pm MDT (August 28 00:00 UTC).

Following industry best practices, DigiCert implemented a 397-day maximum validity for all public DV, OV, and EV SSL/TLS certificates. This practice accounts for time zone differences and prevents Certificate Authorities from mis-issuing a public SSL/TLS certificate that exceeds the new 398-day maximum validity requirement.

This industry change does not affect these types of certificates:

  • Private SSL/TLS
  • Client
  • S/MIME
  • Code Signing
  • EV Code Signing
  • Document Signing

What do I need to do to?

With the new 397-day maximum certificate validity, we recommend maximizing your SSL/TLS coverage by purchasing your new public SSL/TLS certificates with a DigiCert® Multi-year Plans.

Multi-year Plans allow you to pay a single discounted price for up to six years of SSL/TLS certificate coverage. With these plans, you pick the SSL/TLS certificate, the certificate validity, and the duration of coverage you want--up to six years. To learn more, see Multi-year Plans.

Enterprise License Agreement (ELA) and Flat Fee contracts only support 1 and 2-year Multi-year Plans.

DigiCert Services API integrations

For those using the DigiCert Services API, you need to update your API workflows to account for the new maximum certificate validity of 397 days in your requests. See Services API.

What happens if my 2-year public SSL/TLS certificate was not issued by the August 27 deadline?

Pending public SSL/TLS certificate orders with a validity greater than 397 days will automatically be converted to a Multi-year Plan.

This means:

  • The first certificate for the order will be issued with a maximum validity of 397 days.
  • The Multi-year Plan will keep the validity from the purchase.
    For example, if you ordered a 2-year certificate, your Multi-year Plan will be valid for 24 months.
  • To use the remaining coverage on the order, you will need to reissue the certificate during the order's final 397 days.
    Each order comes with unlimited certificate reissues at no cost.

How does this affect my existing 2-year public SSL/TLS certificates?

This change doesn’t affect active 2-year certificates issued before the August 27, 2020 deadline. These certificates will continue to be trusted until they expire.

For example, on August 10, 2020, you purchase a 2-year OV SSL/TLS certificate. We issue the certificate on August 12, 2020. When the certificate nears its expiration date, instead of renewing it with another 2-year SSL/TLS certificate, you’ll need to renew it with a 1-year certificate or order a certificate from the DigiCert® Multi-year Plan.

How does this affect my 2-year certificate reissues and duplicate issues?

The shortened maximum certificate lifecycle period of 397 days impacts public 2-year SSL/TLS certificates when reissued or duplicated.

The following types of actions require you to reissue a certificate:

  • Adding a domain to a certificate
  • Removing a domain from a certificate
  • Swapping out a domain on a certificate
  • Changing organization information (name, address, phone number, etc.)
  • Duplicating a certificate
  • Replacing your private key /public key pair

Now when you reissue or duplicate a 2-year public SSL/TLS certificates, the new certificate will have a maximum validity of 397 days. This means some reissued certificates will expire before the order expires.

To use the remaining validity included with the order, reissue your certificates during the order's final 397-day period. You may request reissues with a validity of up to 397 days or the expiration of the order, whichever is soonest.

Example: Reissuing a 2-year public SSL/TLS certificate now

  1. On August 1, 2020 (before the August 27 deadline), we issued your 2-year multi-domain certificate—this is the original certificate.

    This certificate:

    • Has a maximum validity of 825 days
    • Expires on November 1, 2022 at the same time the order expires

  1. On November 1, 2020 (new 397-day maximum validity change implemented), you reissue the certificate.

    This reissued certificate:

    • Has a maximum validity of 397 days
    • Expires on December 1, 2021
    • Expires 335 days before the order expires
      (order expires on November 1, 2022)

  1. On January 1, 2021, you reissue the certificate.

    This reissued certificate:

    • Has a maximum validity of 397 days
    • Expires on February 1, 2022
    • Expires 273 days before the order expires
      (order expires on November 1, 2022)

  1. On April 1, 2022, you reissue the certificate a last time.

    This reissued certificate:

    • Has a validity of 214 days
    • Expires on November 1, 2022 at the same time the order expires

If you need to reissue a 2-year public SSL/TLS certificate and have questions about what to expect when the certificate is reissued, please contact your account representative or our Support team before you reissue it.

How does this affect my public SSL/TLS certificate renewals?

You can still renew a certificate order as early as 90 days to 1 day before it expires. When you renew, DigiCert will transfer as much remaining validity as possible to the renewed certificate without exceeding the new 397-day maximum certificate validity.

Any validity that cannot be transferred directly to the certificate will be transferred to your order, and the order will be converted to a Multi-year Plan. This means your renewal order may have a longer validity than the renewal certificate.

To use the extra validity included with the renewal order, reissue the certificates during the order's final 397-day period. You may request reissues with a validity of up to 397 days or the expiration of the order, whichever is soonest.

Example: Renewing a 1-year certificate order now

Order validity Certificate renewed Renewed certificate validity Days remaining on order
455 days 90 days before order expires 397 days (365 + 32) 58 days
425 days 60 days before order expires 397 days (365 + 32) 28 days
397days 30 days before order expires 397 days (365 + 32) 0 days
366 days 1 day before order expires 366 days (365 + 1) 0 days
365 days Day order expires 365 days 0 days

Über

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.