Upcoming TLS Domain Validation Changes – Fall 2021

Feb 15, 2024

Upcoming TLS Domain Validation Changes – Fall 2021

Over the second half of 2021, two changes in domain validation policy will take effect, which may impact how you validate domains when issuing publicly trusted TLS certificates. These policy changes apply to all new certificate requests, renewals, re-issues and pre-validated domains. These changes will have NO IMPACT on TLS/SSL certificates that have already been issued.

Domain revalidation will be required every 397 days instead of every 825 days

Over the past several years, there has been a concerted effort on the part of the CA/Browser Forum and various Root Programs to reduce the maximum validity of publicly-trusted certificates. The most recent reduction came last year when TLS certificates were limited to just 397 days of validity.

This is good for security, information becomes less reliable the further it gets from its validation date. Additionally, longer certificate lifespans limit crypto-agility and make it harder to roll out changes and updates. Plus, it encourages automating certificate lifecycle management, which eliminates the burdens historically associated with shorter validity and more certificate rotation.

However, the most recent reduction to max validity only reduced the lifespan of the certificate itself, CAs and customers were still allowed to re-use validation information for 825 days. In September, the maximum time a domain validation lasts for will be 397 days, aligning with the maximum validity of certificates. In many ways, this is just part two of last year's change.

GlobalSign will implement the changes on September 27, 2021.