[cabfpub] SHA-1 changes and certificate lifetimes
Gervase Markham
gerv at mozilla.org
Wed Nov 13 11:33:38 UTC 2013
On 13/11/13 10:53, Rob Stradling wrote:
> When a customer renews an SSL certificate, it's common practice to set
> the "notBefore" date of the new cert to today, and the "notAfter" date
> to precisely N years after the old cert expires. So if a customer
> renews a 3yr cert 3 months before expiry, the new cert will be valid for
> 39 months.
>
> Reducing the maximum validity period to 36 months would mean that the
> validity periods of the old 3yr cert and new 3yr cert cannot overlap.
> Or, if they do overlap, the customer would have to accept that they're
> paying for some number of days twice. Or, the CA would have to issue a
> 27month cert now; then, 27 months later, issue a 9month cert. Or, the
> CA could scrap their 3yr cert product and sell a 33month cert product
> instead.
>
> Basically, a maximum of 39 months makes renewing 3yr certs practical.
OK, I understand now. And this requires 39 and not 38 or 37?
Gerv
More information about the Public
mailing list