FAQ on change to maximum validity period for server certificates
Change to Certificate Service – from 1st March 2018
Q1) What is the change in the maximum duration of certificates?
A) The maximum duration will be limited to 2 years, currently this is 3 years.
Q2) What certificates are affected?
A) Only medium assurance Organisation Validated (OV) certificates. High assurance Extended Validation (EV) and Wildcard certificates are already limited to 2 years.
Q3) Who is driving this change?
A) It is the industry regulator, the CA/Browser Forum, who passed a ballot limiting the duration of all SSL/TLS certificates to a maximum of 2 years. Theoretically, the maximum has been set to 825 days but Certificate Authorities generally only issue certificates in whole years.
Q4) What type of certificate does Jisc recommend securing your website/webservice with?
A) There will no longer be a difference between SSL/TLS certificate types, and since there is also no cost differential, there is an overwhelming case to use EV certificates in all but a small number of circumstances.
Q5) Any reasons why you might still want to use an OV certificate
A) Yes, if you require a certificate with more than 20 specific domains to be included in one certificate. EVs can hold up to 20 and an OV certificate can hold up to 50 individual domains.
Q6) What are the benefits of Extended Validation certificates
A) There are a number of reasons for using EV certificates, including
- Instantly recognised by users visiting a website by displaying the legal name of the organisation to whom the certificate has been issued to, next to the address bar.
- The address bar turns green, or the text in the address bar turns green (depending on the browser being used).
- Only issued to the requesting organisation after more rigorous checks have been completed and satisfied, in line with strict rules governing their issue.
Q7) Are EVs more difficult and time consuming to get hold of?
A) No, Jisc customers can get these just as quickly as other types of certificates. Since we re-procured the service and moved to the current supplier QuoVadis, the time it takes has changed from several days with additional paperwork to be completed, to just a couple of minutes.
Q8) Does an EV cost than an OV certificate?
A) No, they cost the same. The price of an EV is £35 or less from Jisc, which represents a 70-80% discount to the commercial market.
Q9) Are End User certificates affected by this change?
A) No, S/MIME certificates used for digitally signing emails, and optionally encrypting messages, are still valid for up to three year and customers can continue to obtain these from the Jisc Certificate Service.
Q10) What happens to existing 3-year certificates?
A) All existing certificates and certificates issued up until 1st March will continue to be valid for three years after they were issued.
Comments
Will there be a reduction in cost in OV certificates to compensate for the reduced length of time for which they are valid?
Hi Tomo,
Our own costs are not reducing as a result of the change so we're unable to pass on any costs savings to customers. If it's any consolation, since charging was introduced in 2013 prices have not changed for certificates with less than 5 domains. All certificates, not least the Extended Validation type, still represent a substantial saving to that of the commercial market.