In 2018, the CA-Browser Forum came to an agreement to reduce maximum lifetime of certificates from three years to two years. At that time, the major browsers were pushing hard for 1-year certificates and the major CAs wanted to maintain 3-year certificates. The new 2-year standard was a compromise.
Now it's 2020 and Apple has taken unilateral action and announced that Safari will no longer trust 2-year certificates as of 9/1/2020. Google, Mozilla, and Microsoft soon jumped on board. In response, the public CAs will all stop issuing 2-year certificates. The intent of the policy change is to improve security by limiting the length of time a fraudulent certificate can be used, especially given poor implementations of certificate revocation.
This page documents the timeline and impacts of this industry-wide change on UW Certificate Services customers.
UW CA Certificates
The UW CA is not part of the trusted root program for any browsers and is not subject to this new requirement. There will be no impacts to UW CA customers.
The InCommon CA relies on the Sectigo root CA, which is part of the trusted roots program for all major browsers. This means InCommon certificates will be impacted by this industry-wide change.
The change to certificate lifetime policy takes effect on August 19, 2020.
- InCommon certificates issued on or after August 19, 2020 will be limited to a 1-year lifetime.
- InCommon certificates created before August 19, 2020 will continue to be trusted by all browsers for their full lifetime.
- On August 19, 2020, the UW Certificate Services application will be updated to remove 2 years as an option for certificate lifetime.
- Beginning August 19, 2020, it will no longer be possible to renew a 2-year certificate. The UW Certificate Services application will be updated to enforce this.
Please send any questions to firstname.lastname@example.org with "InCommon certificates" in the subject line.