IAM
Space shortcuts

Log in to ASTRA
Manage UW Groups
Manage UW NetID Resources
Manage Certificates
Register/Update Shibboleth SP

IAM in Service Catalog

Access Management
Authentication
Directory Services
UW NetID
UW Directory
Microsoft Infrastructure

Page Tree

Child pages
  • End of Life for 2-year Certificates
Skip to end of metadata
Go to start of metadata

Background

In 2018, the CA-Browser Forum came to an agreement to reduce maximum lifetime of certificates from three years to two years. At that time, the major browsers were pushing hard for 1-year certificates and the major CAs wanted to maintain 3-year certificates. The new 2-year standard was a compromise.

Now it's 2020 and Apple has taken unilateral action and announced that Safari will no longer trust 2-year certificates as of 9/1/2020. Google, Mozilla, and Microsoft soon jumped on board. In response, the public CAs will all stop issuing 2-year certificates. The intent of the policy change is to improve security by limiting the length of time a fraudulent certificate can be used, especially given poor implementations of certificate revocation.

This page documents the timeline and impacts of this industry-wide change on UW Certificate Services customers.

UW CA Certificates

The UW CA is not part of the trusted root program for any browsers and is not subject to this new requirement. There will be no impacts to UW CA customers.

InCommon Certificates

The InCommon CA relies on the Sectigo root CA, which is part of the trusted roots program for all major browsers. This means InCommon certificates will be impacted by this industry-wide change.

Timeline

The change to certificate lifetime policy takes effect on August 19, 2020.

Impacts

  • InCommon certificates issued on or after August 19, 2020 will be limited to a 1-year lifetime.
  • InCommon certificates created before August 19, 2020 will continue to be trusted by all browsers for their full lifetime.
  • On August 19, 2020, the UW Certificate Services application will be updated to remove 2 years as an option for certificate lifetime.
  • Beginning August 19, 2020, it will no longer be possible to renew a 2-year certificate. The UW Certificate Services application will be updated to enforce this.

Questions?

Please send any questions to help@uw.edu with "InCommon certificates" in the subject line.

Further Reading


  • No labels

Have a question? Contact us at iam-support@uw.edu.