Where I expect to see a renewal link, the Certificate Service says "This certificate cannot be renewed." Why can't I renew my InCommon Certificate?
Starting 2018-03-01, all commercial Certificate Authorities (CAs) have shortened the maximum certificate lifetime to two years. Any new InCommon certificate requests or renewals will be limited to this term. Certificates issued before 2018-03-01 with terms over two years will expire on their originally scheduled dates (e.g. a three year certificate issued 2018-02-28 will expire 2021-02-28). Our vendor originally told us that three year certificates issued prior to 2018-03-01 would be issued with a term of two years when renewed. We soon discovered that renewals of three year certificates were getting stuck in the vendor's management tools. Our vendor has now told us that the statement regarding automatic term truncation to two years was a "misrepresentation." Certificates Services reviewed options and decided that disabling renewals of three year certificates would have the least impact on customers.
What is the solution?
You can generate a new Certificate Signing Request (CSR) and request a new InCommon certificate from Certificate Services like you did when you first requested this certificate. You'll be able to use the renew function going forward (barring any further changes to certificate lifetimes by our vendor). The process of requesting a new certificate is documented at Obtain a Certificate from the InCommon CA.
More Frequently Asked Questions
What other options were considered?
We could have submitted renewal requests to our vendor as usual, but processing them requires a manual and labor-intensive intervention from Certificate Services staff. This option would have tied up support resources and introduced a delay of up to one business day in issuing renewals.
I was able to renew three year InCommon certificates between 2018-03-01 and 2018-03-28. Why?
Certificate Services staff manually processed renewals of three year certificates (renewals issued with a two year term) during this time. The ability to renew was disabled on 2018-03-28. You might have noticed a delay in issuing renewals of three year certificates between 2018-03-01 and 2018-03-28. The manual processing required by our staff is why.
What happens to my existing three year certificate?
This change does not affect any existing certificates. If you were issued a three year certificate on or before February 28, 2018 it will still expire three years from the issue date. Only certificates issued March 1, 2018 or later will have a maximum term of two years.
Where can I go to get a three year certificate?
None of the commercial CAs are issuing three year certificates anymore. Commercial CAs for this purpose means a CA whose root certificates are included in major browsers and operating systems. Thawte, Digicert, Comodo, etc. have all limited certificate terms to two years. For more information see https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/
Why is this happening?
CA/Browser (CAB) forum members assert that rolling over certificates on a shorter interval improves security by allowing deprecated cryptographic protocols to be phased out more quickly, among other things.
Why does UWCA still offer three year certificates?
Commercial CAs have to follow CA/Browser (CAB) forum rules to have their root certificates included in major browsers and operating systems. CAB is a working group composed of organizations engaged with web browser and certificate best practices. UWCA is a private CA--we aren't concerned about having our root certificate trusted outside UW or included in major browsers. This gives us flexibility to evaluate the costs and benefits of adopting similar practices.