[cabfpub] SHA-1 changes and certificate lifetimes

Rob Stradling rob.stradling at comodo.com
Wed Nov 13 11:42:44 UTC 2013

On 13/11/13 11:33, Gervase Markham wrote:
> On 13/11/13 10:53, Rob Stradling wrote:
>> When a customer renews an SSL certificate, it's common practice to set
>> the "notBefore" date of the new cert to today, and the "notAfter" date
>> to precisely N years after the old cert expires.  So if a customer
>> renews a 3yr cert 3 months before expiry, the new cert will be valid for
>> 39 months.
>> Reducing the maximum validity period to 36 months would mean that the
>> validity periods of the old 3yr cert and new 3yr cert cannot overlap.
>> Or, if they do overlap, the customer would have to accept that they're
>> paying for some number of days twice.  Or, the CA would have to issue a
>> 27month cert now; then, 27 months later, issue a 9month cert.  Or, the
>> CA could scrap their 3yr cert product and sell a 33month cert product
>> instead.
>> Basically, a maximum of 39 months makes renewing 3yr certs practical.
> OK, I understand now. And this requires 39 and not 38 or 37?

Why, are those last 2 months a big concern for you?

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list