26 August 2020

Starting September 1, 2020, most browsers will no longer trust certificates with a validity period longer than 398 days. With an evolving industry, the shortening of validity periods is expected. As such, we have been diligently working on channel-friendly solutions to continue providing multi-year price incentives to our customers. After we developed the model in-house and then perfected it with Sectigo, Subscription SSL was launched and made available for all Sectigo and Comodo product lines. With Subscription SSL, our customers can expect better prices, and a streamlined renewal process.

How Does Subscription SSL Work

When a customer orders a multi-year certificate after September 1, 2020, Sectigo will issue the 1st certificate with a validity period of 398 days. Before expiration, Sectigo will notify end-users to reissue the certificate preferably with a new CSR. Upon validation and reissuance, Sectigo will issue a 2nd certificate for the remainder of the subscription term or 398 days, whichever is shorter. The frequency of this replacement process will be determined by the number of years purchased upfront.

Example:

For a three-year Subscription SSL bundle, a certificate would be issued on September 1, 2020 with an expiration date of October 3, 2021 (398 days after issuance). The client submits a new CSR on October 3, 2021. Upon validation, a new certificate would be issued for another 398-day validity expiring on November 5, 2022. The process repeats around November 5, 2022, and the final certificate is issued to expire on September 1, 2023 — three years from the original issue date.
A new CSR will need to be provided and validated at the end of each 398-day period until the remaining life-time of the subscription purchase is less than 398 days, then it will be issued to max duration allowed.

Sectigo Subscription SSL FAQ

  • What is the benefit to the end customer?
    Customers can save up to 20% over the lifetime of the subscription and streamline the renewal process.
  • What is the benefit to the reseller?
    With Subscription SSL, our partners can now renew their multi-year certificate customers for their preferred duration of up to 5 years. These Subscription SSL bundles will allow our partners to increase customer retention and retain 30%+ of the revenue that would be lost if certificates could only be renewed at the current max duration of 398 days.
  • When ordering Subscription SSL for multiple years, can the old CSR be used or is a new CSR needed each year?
    Yes, but to ensure best security practices, a new CSR and re-validation are suggested each year.
  • Does DCV occur each time?
    Yes, DCV occurs each time a new certificate is renewed or re-issued which will need to happen at least once every 398 days.
  • What steps do I need to take each year?
    • Remind your customers about the upcoming renewal (every 365-398 days).
      Note: Certification Authorities are in the process of updating default automated reminders. More info to come.
    • For best practices, a new CSR will need to be requested from the customer although an old CSR can work.
    • Process the CSR as you would a re-issue of an existing certificate today.
    • The expiry date will be extended 398 days or until the end of the Subscription Term.
  • Will a new certificate be created each year?
    Yes, at a minimum, a new certificate with a max duration of 398 days will be required to be issued each year. For example, if you purchase a 5-year Subscription SSL bundle, you will have 5 different certificates to provide continuous 5-year coverage.
  • What brands support the Subscription SSL feature?
    All Sectigo & Comodo SSL product lines including PositiveSSL, EssentialSSL, InstantSSL, EliteSSL, EnterpriseSSL and SectigoSSL

 

General TLS/SSL FAQ

  • Which certificates does the one-year max validity period affect?
    TLS/SSL (DV / OV / EV, Single-Name / Multi-Domain / Wildcard)
  • What is the reason for the shortened validity period?
    The reduction in the validity period is to improve web security. Shorter periods keep the ecosystem more up to date with the latest and safest standards and reduce opportunities for imposter vulnerabilities.
  • What happens when you issue a two-year certificate before September 1?
    Any two-year public certificates issued before September 1 will be trusted until their expiration date.
  • What happens when you reissue a two-year certificate after September 1?
    • For Sectigo / Comodo Product Lines: If the original certificate expiration is beyond 398 days away, the validity period of the reissued certificate will be reduced to satisfy industry regulations (398 days), however, customers can reissue again later to extend the validity of their certificate to complete the original expiration date.
    • For DigiCert / Symantec CA (GeoTrust, RapidSSL, Thawte): If the original certificate expiration is beyond 398 days away, the validity period of the reissued certificate will be reduced to satisfy industry regulations (398 days). Unfortunately, at this point in time, DigiCert, GeoTrust, Thawte, and RapidSSL are advising us the additional time will not be added back later so a standard renewal will be required to avoid “Not Secure” browser warnings. Stay tuned for updates as the industry adapts to the new regulations.

 





« Back