FAQ: Maximum Certificate Terms of 27 months

Change in Certificate Lifetimes

The CA/Browser Forum recently implemented a change in Certification Authorities’ policy requirements, reducing the maximum lifetime for all TLS/SSL certificates to 825 days, this is just over 27 months.  This is a reduction from the existing maximum term of 39 months.
 
As a result, Comodo CA will adopt these new lifetime requirements effective March 1, 2018 and these certificates will be removed from our retail website.

Q: Why will Comodo CA stop issuing 3-year certificates?
A: This is an industry-wide directive which affects all certificate authorities. In accordance with the CA/Browser Forum Baseline Requirements, effective March 1, 2018, Certificate Authorities (CAs) will no longer be able to issue SSL Certificates with a validity period longer than 27-months.

Q: When will the 27-month maximum term limitation take effect?   
A: March 1, 2018

Q: Is Comodo CA the only certificate authority to stop issuing 3-year certificates?
A: No, the requirement applies to every CA. If a certificate is issued after March 1, 2018 with a validity period of greater than 27-months, then the issuing CA will be in breach of the requirements.

Q: Can I renew a 3-year certificate and get another one for the same duration?
A: 
Yes, you can renew or replace an existing 3-year certificate after March 1, 2018, but to make up the full duration, we will issue one certificate for 27-months then a second certificate valid for the remaining time. So, for example, if you renew/replace a certificate with 3-year duration, we will issue a 2-year cert followed by a 1-year cert when the first one expires.

Q: What if I already paid for a 3-year term?  Does that purchase get honored?
A: 
Yes. If you purchased the certificate before March 1st 2018, then nothing will change. Your 3-year cert will remain valid for its full lifetime. If you decide to replace this certificate after March 1st 2018, or it comes up for renewal, then the new laws come into play.

In summary:

  • If you purchased a 3-year certificate before March 1, 2018, then nothing will change. The certificate will remain valid throughout its full lifetime.

  • If you renew/replace an existing 3-year certificate AFTER March 1st, then we will initially issue a 2-year certificate. When this nears expiry we will issue another certificate valid for the remaining time. You can claim this 2nd certificate by logging into your account and clicking the ‘Replace’ link when the 2-year cert is close to expiry.

  • All new certificate purchases after March 1, 2018 will be for a maximum of 27-months.

Q: Does the 2-year maximum term limitation apply to all TLS/SSL certificate types (single domain, wildcard, Extended Validation and UCC/MDC)?
A: 
Yes, it applies to all website certificate types. EV certificates have a maximum duration of 2-years anyway, so they are already compliant.

Q: Does the limit apply to code signing certificates?
A: No, the limit does not apply to code signing or EV code signing certificates, which will retain a 3-year maximum validity period.

Q: How will I get the remaining time if I renew/replace a 3-cert after March 1, 2018?
A: 
When your initial, 27-month, certificate is nearing expiry, log into your account, locate your order and click the ‘Replace’ link. You will be issued with a certificate valid for the remaining time.

  • If you replace/renew an existing 3-year cert, then you will see this message in your order:


A replace link will appear in the order when your certificate approaches expiry: 

  • If you purchased a 3-year certificate before the deadline then you will see this message in your order purely as an FYI:


Learn more about the new requirements here,
https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/

Comodo CA will work with you to ensure this transition goes smoothly. If you have questions, please contact your Comodo CA account manager or Comodo CA Support directly, Support@ComodoCA.com. Partners can contact us directly via partners@comodoca.com