397 Day Maximum TLS Certificate Validity

Aug 10, 2020

397 Day Maximum TLS Certificate Validity

Overview

What's changing?

Due to changes in Apple and Google Root Store Policies, as of September 1, 2020, newly issued SSL/TLS Certificates with a validity period greater than 13 months (397 days) are prohibited by policy and will not be trusted. Therefore, as of August 31, 2020, GlobalSign will stop issuing 2-year publicly trusted SSL/TLS Certificates.

In summary, as of August 31, 2020:

  • GlobalSign will stop issuing 2-year publicly trusted SSL/TLS Certificates
  • The maximum validity for all newly issued or reissued publicly trusted SSL/TLS orders will be 13 months (or 397 days) - this includes QWACs (Qualified Website Authentication Certificates)
  • 6-month Certificate orders will be changed to have a maximum validity period of 7 months (or 214 days)
  • Note: We will continue to offer multi-year validity for Intranet SSL (privately trusted SSL/TLS)

When will this change go into effect?

August 31, 2020

Existing 2 Year TLS/SSL Certificates

I have an existing TLS/SSL Certificate with a 2-year validity, will it be trusted after September 1, 2020?

Yes, TLS Certificates issued before September 1, 2020 with a validity greater than 397 days will continue to be trusted until they expire.

What happens when I reissue an existing 2-year TLS/SSL Certificate after this change goes into effect?

If you reissue a 2-year Certificate after September 1, we will be required to limit the validity to 397 days. You can reissue the Certificate as needed in the future free of charge to re-claim the original validity time (see example below). This works the same way it did in 2018 when we went from 3-year maximum validity down to 2 years.

Let's look at an example:

  • A 2-year TLS Certificate is ordered and issued on August 1, 2020. It’s valid until August 1, 2022.
  • You reissue the Certificate on September 15, 2020 (after the new maximum validity change has gone into effect). We have to truncate the reissued Certificate for 397 days, changing the expiration date to October 17, 2021.
  • When the reissued Certificate is within 397 days of original expiration, you can reissue the Certificate again to claim the remaining validity (that was truncated).
  • You can reissue as many times as needed to regain the original expiration date (in this example August 1, 2022).

Please note that the EV reissue process is different due to the EV Guidelines (EVGL) requirements for reissuing Certificates. While you can still reissue your Certificates, they will be queued for manual review and we’ll need to verify all validations are up to date before we can release it.

Impact to Renewals and Transfers

Can I still renew early or transfer a Certificate from a competitor to receive rollover/bonus time?

  • Effective August 31, 2020 when you order a 1 year TLS/SSL Certificate, GlobalSign will automatically provide customers with the maximum validity of 397 days. Essentially, we are providing customers with a 1 year TLS/SSL Certificate plus 30 days bonus automatically. This applies to new and renewal orders, to provide maximum validity for our customers' benefit.
  • For "Transfers from a Competitor": We will be removing the "transfer" button from the ordering process since we can no longer provide roll over time.
  • For early renewals: Given we can only provide a maximum of 397 days, we recommend renewing within 30 days of expiration to avoid losing any "roll over time." We will continue to allow customers to renew up to 90 days earlier; however, you will only receive a 397 day Certificate. We will also change, renewal email notifications to start at 30 days prior to expiration (instead of 90 days prior to expiration).

We encourage you to read more about this change and subscribe to our GlobalSign Blog linked here:
https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year

Shop GlobalSign TLS/SSL Certificates:
https://shop.globalsign.com/en/ssl-tls-certificates

Login to your Account:
https://gcc.globalsign.com/au/signon/gacp/usernamePasswordLogin.do

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support