Skip to content Skip to site navigation Skip to service navigation

Certificates limited to one-year expirations

The Certification Authority Browser Forum (or CA/Browser Forum for short) has passed a new recommendation that starting on September 1, 2020 all SSL certificates used for serving web pages should be valid for no more than one year from issuance. In particular,

TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.

Almost all Certificate Authorities and browser vendors are following this recommendation. Most of the major browser vendors have released (or soon will release) versions of their product that will flag as insecure web sites using certificates not meeting the above recommendation. Stanford's certificate vendor Sectigo has stopped issuing two-year certificates and Stanford's certificate provisioning application has removed the option for certificates with two-year expirations.

Note that certificates issued before September 2020 that have expirations longer than one year will not be affected: they will still work and be accepted.

For more information, see section 6.3.2 of the CA/Browser Forum's document "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (version 1.7.1)".

Last modified July 12, 2021