Historically, CertCentral set the validTo time on certificates to 12:00:00 UTC. This practice began when DigiCert was a smaller company. We wanted certificates to expire in our morning (MT) when we had more support staff available to assist customers in renewing expiring certificates.
Because we set the validFrom time on certificates to 00:00:00 UTC and the validTo time to 12:00:00 UTC, we added 12 hours plus one second to the validity period of every certificates. At the time, the industry guidelines around certificate validity were not as specific as they are today. Certificates with an extra 12 hours and one second were still compliant with industry standards.
Today, industry standards define allowed certificate lifetimes in exact numbers of days, defined by total number of seconds. If a certificate authority (CA) adds even one extra second to a certificate, the number of days is rounded up a full day. This means a 397-day certificate validity plus one second is equal to 398 days when determining adherence to section 6.3.2 of the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates and Apple's validity requirements.
RFC 5280 defines the certificate validity period to be inclusive of both times: start and end. This means if you set the start time to 00:00:00 UTC and the end time to 00:00:00 UTC, the certificate validity will be equal to one second. Thus, if you set both the validFrom and the validTo times to 00:00:00 UTC, the certificate validity will include an additional second.
Due to the industry's interpretation of RFC 5280, DigiCert now sets the validTo time to 23:59:59 UTC for the certificates we issue. Per RFC 5280, this validity period is inclusive of the second up to 00:00:00 UTC.
1-year certificate validity example
In this example, we want to issue a 1-year certificate that starts on October 15, 2020 00:00:00 UTC and ends on October 15, 2021 00:00:00 UTC. When we configure the validity for this certificate, we set the validFrom time to October 15, 2020 00:00:00 UTC and the validTo time to October 14, 2021 23:59:59 UTC. Per RFC 5280, the certificate is valid for the entire 365 days.
397-day certificate validity example
In this example, we want to issue a certificate for the industry recommended maximum validity of 397 days. When we configure the validity for this certificate, we set the validFrom time to October 15, 2020 00:00:00 UTC and the validTo time to November 11, 2021 23:59:59 UTC. Per RFC 5280, the certificate is valid for the entire 397 days.
Site downtime due to an expired certificate is never good. However, if a certificate expires during the weekend, a site may be down for a prolonged period. During the weekend, it may take longer for a business to discover the problem, contact the correct people, and fix it.
Unless you request a specific end date for the certificate, CertCentral tries to adjust the validTo time on certificates so they don't expire during the weekend and to avoid US holidays.
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.
©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.
Este sitio usa cookies y otras tecnologías de rastreo para ayudarlo con la navegación y su capacidad para brindar comentarios, analizar su uso de nuestros productos y servicios, asistirnos con nuestros esfuerzos promocionales y de mercadotecnia, así como proporcionar contenido de terceros. Lea nuestra Política de cookies y nuestra Política de privacidad para obtener más información.