Multiyear SSL Certificates / Subscription SSL Certificates

Question:

Can I order multi year SSL Certificates? How does this work technically?

 

Answer:

The validity period of SSL certificates will be further limited to 1 year as of September 1st, 2020.

Google and Mozilla (together with Apple who made it earlier) announced that they will no longer accept newly issued certificates with a validity period longer than 398 days from September 1. 

All publicly-trusted SSL server certificates issued before September 1, 2020 with a longer validity period, will continue to be supported for the entire term.

What will happen with active certificates?

Already issued certificates with a validity term of 2 years will remain valid until their expiry date.

Certificates issued on or before August 18, 2020 will still be issued with a validity period of 2 years, which will remain trusted in the browsers until they expire. For certificates with company validation (OV and EV) a certain delivery time applies, for this reason the transition date has been set to August 18. Limitation will be applied for all certificate types (DV, OV, EV).

We highly recommend you to renew 2-years certificates for which it is already possible. You can renew your certificates from 100 days before the expiry date. The remaining validity period of the old certificate is added to the new certificate, so you do not lose any validity period. Until August 18, you can extend your certificates in the regular way for two years via the Control Panel.

Impact on reissues

During the validity period of a certificate, you can always apply for a reissue.

The validity period of certificates re-issued after August 18 will then be limited to 13 months. This does not mean that the certificate has lost its initial validity period, because if you reissue again at a later time it will be matched to the initial validity period of two years. For example, if your current certificate has 698 days remaining on September 1 and it is reissued that day, CA will issue a 398 day certificate, and you will need to resubmit the CSR and get it reissued near the 398 day expiration at which time CA would issue another certificate for the remaining 300 days at no cost to you. Reissue will be requested automatically and you will be notified of the required actions by email.

Impact on renewals

After August 18, the renewal period of 1-year certificates will also be limited, from 90 days to 30 days, because the maximum validity term is then 398 days.

Options for a longer validity term

As mentioned above, 2-year certificates are still available until August 18, 2020, and you can choose to renew certificates that are less than 100 days before this date.

In order to meet the high demand of 2-year certificates, Sectigo launched multi-year SSL subscriptions: this allows you to subscribe for up to 5 years for all types of SSL certificates and continue to benefit from attractive multi year discounts. In this model it remains necessary to technically renew the certificates after the maximum validity period of 398 days. In time, the necessary interim renewal will also be automated where possible.

Refunds

There will be no refunds, in case after completion of one year the client does not want to extend the certificate to second year anymore.

How will it work?

From August 18 we will automatically process a 2-year order as a 2-year subscription. Openprovider API to order 2-year certificates will keep working exactly the same, the only thing that changes is that a certificate with a validity of 1 year is returned, even when a 2 year is ordered. To get a certificate for the next year, you should do a regular reissue command and a new certificate will be issued (after the necessary validation steps). We are going to automate this process as much as possible (requesting reissue automatically) and will inform you later about technical details of the process. The price for a 2-year subscription is equal to the price for a 2-year certificate and will be charged at the moment you order the certificate.

What do you need to do?

  • Re-installation:

As the initial certificate expires after 1 year, it is very important to install the new certificate that you will receive after a year is installed on your server timely.

  • Re-validation:

If the validation is done through DNS and the DNS-zone for the domain is managed by Openprovider:

  • DV certificates will be automatically re-validated, no action required for a 2 years certificate.
  • Validation for 3, 4 and 5 years certificates will be done with the renewal for 3rd and 5th year.
  • OV certificates need to be re-validated every 825 days, so for a 2 year certificate validation is not required. For certificates with longer periods (3, 4 and 5 years), validation will be required for the 3rd renewal.
  • EV certificates will still need a re-validation every year of the company details 

 

If the validation is not done through DNS or the DNS-zone for the domain is not managed by Openprovider:

  • Validation for a 2 years DV certificate is not required if the CSR file remains unchanged.
  • Validation for 3, 4 and 5 years certificates will be done with the renewal for 3rd and 5th year.
  • OV certificates need to be re-validated every 825 days, so for a 2 years certificate validation is not required. For certificates with longer periods (3, 4 and 5 years), validation will be required for the 3rd renewal.
  • EV certificates will still need a re-validation every year of the company details
  •  

 

Note: Above rules are subject to change and are requirements set by CA. 

Was this article helpful?
Additional questions? Submit a request