The CAB Forum (CA Forum) is the governing body that moves the security of the internet with SSL Certificates. The CA/Browser Forum began in 2005 as part of an effort among certification authorities and browser software vendors to provide greater assurance to Internet users about the web sites they visit by leveraging the capabilities of SSL/TLS certificates. The Ballots they pass together are geared to propelling the internet into a more safer environment.
What was passed in Ballot 193?
- Maximum SSL validity period will be restricted to 2 year (825 days / 27 months) effective March 1, 2018.
- Authentication domain and organization vetting will only be valid for 27 months effective April 22, 2017
What does this mean?
- Eventually there will be no more 3 year option for SSL/TLS Certificate enrollments.
- Some CA’s will be proactive and not wait until the March 1 2018 to stop issuing 3 year certificates.
- Network Administrators will have to visit there server systems more often.
- Some browsers may enforce this validity by throwing up errors or warnings if a certificate has a validity of over 3 years. Although the CA Forum states this applies to only new and reissued certificates after March 1st 2018. Chrome for example, likes to enforce things thinking they own the internet outside the Migration Standards of the CA Forum.
Since the technical validity of a certificate after the date of March 1, 2018 can only have a 27 month / 825 day lifespan if for whatever reason a reissue is needed the certificate may have time removed from their certificate.
Example: If an Admin gets a new/renewed 3 year certificate on February 29th 2018 and needs to perform a reissue due to a technical matter we could see a certificate cut to 27 months instead of 37 months.
Recommendations:
- Plan ahead and consider already getting a two year certificate.
- If you still want to get a 3 year certificate give yourself enough time (a couple of months) to enroll and install your SSL Certificate. Certificates issued before March 1, 2018 will be grandfathered in but a new or reissued certificate will have to meet this standard regardless of time on initial certificate.
To keep up with the progress of technology the CA/Browser Forum is always coming up with new industry standards. These standards guide and move the internet to a more safer and secure environment for its users. Information regarding the CA/B Forum on is always made publically available at cabforum.org
Posted by:
Dominic Rafael
Senior Lead IT Engineer
Be sure to Subscribe!!