Home / Blogs

The Countdown Has Started – Here Come One-Year Digital Certificate Life Cycles

Apple announced its decision to trust only one-year digital certificates1 on its Safari browser in February 2020. This decision created a domino effect, with Mozilla and Google following suit; certificate providers announced they would not issue two-year certificates after Aug. 19, 2020. We wrote an article in March to help brands to prepare for this change.

After Sept. 1, 2020, only one-year digital certificates will be trusted on Chrome browser, Safari, and Firefox. With less than a month until this date, it's important for brands to make sure that they're ready for this change. In this article, we offer our recommendations to ensure that you're fully prepared for the transition of your certificates.

Our simple four-step advice is account, consolidate, secure, and automate.

Account

Ask yourself if your brand has a full accounting of its digital certificates by answering these questions:

  • How many, and what types of certificates do you have?
  • With which certificate authority are they registered?
  • Who has permission to administrate these certificates?
  • When are the renewal dates for each certificate?

If you don't have an answer to all of these questions, you're at risk of having digital certificates that aren't accounted for.

As the frequency of replacing certificates increases, so does the risk of missing the replacement of a vital asset supporting your online business operations. If this happens, you'll be unable to process secure transactions on that site, costing you traffic, revenue, and consumer trust.

Consolidate

CSC advocates consolidating your digital certificates with one provider and using Certificate Authority Authorization (CAA) records to best manage your certificates and control the permissions for issuing any certificates. Adding CAA records supports the consolidation of your providers, reduces the overall cost of management, and greatly reduces the risk of an unexpected expiration — an infinitely higher risk when you have multiple providers.

Secure

It's important to consider the validation level of your digital certificates and the impact it has on your consumers and their confidence in the security of your sites. At CSC, we recommend considering Organization Validation (OV) certificates for your vital domains, as these go through a three-step verification process. Extended Validation (EV) certificates have the most stringent verification criteria, but can be more expensive and take longer to process. Both OV and EV certificates are preferable to Domain Validated (DV) certificates, which can be obtained by anyone with a credit card and who can be proven to own the domain in question.

Automate

The easiest way to deal with the increased frequency of renewals is to automate. If you have an extensive portfolio of domains, after Sept. 1, your renewals workload will double. Automated certificate monitoring, renewal, and replacement will make your life easier, and avoid the risk of an unexpected expiration.

  1. The lifetime of the certificate will include extra time for renewal, so the actual validity period will be 398 days. 
  1. This article originally published on Digital Brand Insider.

By Ken Linscott, Product Director, Domains and Security at CSC

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

IP Addressing

Sponsored byIPv4.Global

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

Whois

Sponsored byWhoisXML API