End of 2-Year DV, OV, and EV public SSL/TLS certificates

On September 1, 2020, the industry stopped issuing 2-year public SSL/TLS certificates. The new maximum validity for public DV, OV, and EV SSL/TLS certificates is 398 days (approximately 13 months). See One-Year Public-Trust SSL Certificates: DigiCert’s Here to Help.

Following industry best practices, DigiCert implemented a 397-day maximum validity for all public DV, OV, and EV SSL/TLS certificates. This practice accounts for time zone differences and prevents Certificate Authorities from mis-issuing a public SSL/TLS certificate that exceeds the new 398-day maximum validity requirement.

This industry change does not affect these types of certificates:

• Private SSL/TLS
• Client
• S/MIME
• Code Signing
• EV Code Signing
• Document Signing

With the new 397-day maximum certificate validity, we recommend maximizing your SSL/TLS coverage by purchasing your new public SSL/TLS certificates with a DigiCert® Multi-year Plans.

Multi-year Plans allow you to pay a single discounted price for up to six years of SSL/TLS certificate coverage. With these plans, you pick the SSL/TLS certificate, the certificate validity, and the duration of coverage you want--up to six years. To learn more, see Multi-year Plans.

For those using the DigiCert Services API, you need to update your API workflows to account for the new maximum certificate validity of 397 days in your requests. See Services API.

Pending public SSL/TLS certificate orders with a validity greater than 397 days will automatically be converted to a Multi-year Plan.

This means:

• The first certificate for the order will be issued with a maximum validity of 397 days.
• The Multi-year Plan will keep the validity from the purchase.
  For example, if you ordered a 2-year certificate, your Multi-year Plan will be valid for 24 months.
• To use the remaining coverage on the order, you will need to reissue the certificate during the order's final 397 days.
  Each order comes with unlimited certificate reissues at no cost.

This change doesn’t affect active 2-year certificates issued before the August 27, 2020 deadline. These certificates will continue to be trusted until they expire.

For example, on August 10, 2020, you purchase a 2-year OV SSL/TLS certificate. We issue the certificate on August 12, 2020. When the certificate nears its expiration date, instead of renewing it with another 2-year SSL/TLS certificate, you’ll need to renew it with a 1-year certificate or order a certificate from the DigiCert® Multi-year Plan.

The shortened maximum certificate lifecycle period of 397 days impacts public 2-year SSL/TLS certificates when reissued or duplicated.

The following types of actions require you to reissue a certificate:

• Adding a domain to a certificate
• Removing a domain from a certificate
• Swapping out a domain on a certificate
• Changing organization information (name, address, phone number, etc.)
• Duplicating a certificate
• Replacing your private key /public key pair

Now when you reissue or duplicate a 2-year public SSL/TLS certificates, the new certificate will have a maximum validity of 397 days. This means some reissued certificates will expire before the order expires.

To use the remaining validity included with the order, reissue your certificates during the order's final 397-day period. You may request reissues with a validity of up to 397 days or the expiration of the order, whichever is soonest.

If you need to reissue a 2-year public SSL/TLS certificate and have questions about what to expect when the certificate is reissued, please contact your account representative or our Support team before you reissue it.

You can still renew a certificate order as early as 90 days to 1 day before it expires. When you renew, DigiCert will transfer as much remaining validity as possible to the renewed certificate without exceeding the new 397-day maximum certificate validity.

Any validity that cannot be transferred directly to the certificate will be transferred to your order, and the order will be converted to a Multi-year Plan. This means your renewal order may have a longer validity than the renewal certificate.

To use the extra validity included with the renewal order, reissue the certificates during the order's final 397-day period. You may request reissues with a validity of up to 397 days or the expiration of the order, whichever is soonest.