Setting the "validTo" time on certificates

Making sure certificate validity is compliant with industry standards

Historically, CertCentral set the validTo time on certificates to 12:00:00 UTC. This practice began when DigiCert was a smaller company. We wanted certificates to expire in our morning (MT) when we had more support staff available to assist customers in renewing expiring certificates.

Because we set the validFrom time on certificates to 00:00:00 UTC and the validTo time to 12:00:00 UTC, we added 12 hours plus one second to the validity period of every certificates. At the time, the industry guidelines around certificate validity were not as specific as they are today. Certificates with an extra 12 hours and one second were still compliant with industry standards.

How does CertCentral set the "validTo" time now?

One-second rule

Today, industry standards define allowed certificate lifetimes in exact numbers of days, defined by total number of seconds. If a certificate authority (CA) adds even one extra second to a certificate, the number of days is rounded up a full day. This means a 397-day certificate validity plus one second is equal to 398 days when determining adherence to section 6.3.2 of the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates and Apple's validity requirements.

RFC 5280 definition of the certificate validity period

RFC 5280 defines the certificate validity period to be inclusive of both times: start and end. This means if you set the start time to 00:00:00 UTC and the end time to 00:00:00 UTC, the certificate validity will be equal to one second. Thus, if you set both the validFrom and the validTo times to 00:00:00 UTC, the certificate validity will include an additional second.

DigiCert: "validFrom" time 00:00:00 UTC – "validTo" time 23:59:59 UTC

Due to the industry's interpretation of RFC 5280, DigiCert now sets the validTo time to 23:59:59 UTC for the certificates we issue. Per RFC 5280, this validity period is inclusive of the second up to 00:00:00 UTC.

1-year certificate validity example

In this example, we want to issue a 1-year certificate that starts on October 15, 2020 00:00:00 UTC and ends on October 15, 2021 00:00:00 UTC. When we configure the validity for this certificate, we set the validFrom time to October 15, 2020 00:00:00 UTC and the validTo time to October 14, 2021 23:59:59 UTC. Per RFC 5280, the certificate is valid for the entire 365 days.

397-day certificate validity example

In this example, we want to issue a certificate for the industry recommended maximum validity of 397 days. When we configure the validity for this certificate, we set the validFrom time to October 15, 2020 00:00:00 UTC and the validTo time to November 11, 2021 23:59:59 UTC. Per RFC 5280, the certificate is valid for the entire 397 days.

Weekend and US holiday certificate expiration date adjustments

Site downtime due to an expired certificate is never good. However, if a certificate expires during the weekend, a site may be down for a prolonged period. During the weekend, it may take longer for a business to discover the problem, contact the correct people, and fix it.

Unless you request a specific end date for the certificate, CertCentral tries to adjust the validTo time on certificates so they don't expire during the weekend and to avoid US holidays.