[cabfpub] SHA-1 changes and certificate lifetimes

Gervase Markham gerv at mozilla.org
Wed Nov 13 11:33:38 UTC 2013

On 13/11/13 10:53, Rob Stradling wrote:
> When a customer renews an SSL certificate, it's common practice to set
> the "notBefore" date of the new cert to today, and the "notAfter" date
> to precisely N years after the old cert expires.  So if a customer
> renews a 3yr cert 3 months before expiry, the new cert will be valid for
> 39 months.
> Reducing the maximum validity period to 36 months would mean that the
> validity periods of the old 3yr cert and new 3yr cert cannot overlap.
> Or, if they do overlap, the customer would have to accept that they're
> paying for some number of days twice.  Or, the CA would have to issue a
> 27month cert now; then, 27 months later, issue a 9month cert.  Or, the
> CA could scrap their 3yr cert product and sell a 33month cert product
> instead.
> Basically, a maximum of 39 months makes renewing 3yr certs practical.

OK, I understand now. And this requires 39 and not 38 or 37?


More information about the Public mailing list