Decoding the SSL expiration, one of the essential things you should know about SSL Certificate
It’s a question we get all the time: why do SSL certificates expire?
Seriously, all the time. Especially at a site with a name like SSLRenewals.com. ‘Why do I have to renew this?’ Or ‘Is this some kind of racket?’
No, it’s not a racket or a scam, it’s actually for a couple of very good reasons—but we certainly understand why it would look that way.
After all, SSL isn’t perishable. It’s not like a carton of milk or a loaf of bread—it’s not going to go bad, per se. But there are still good reasons for restricting the lifespan of SSL certificate—two of them actually.
Let’s take a look:
Reason #1: For Identification Purposes
One of the best metaphors for SSL is a passport or a driver’s license, for the sake of this exercise, we’ll go with the driver’s license. A driver’s license and an SSL certificate serve two primary functions. On the one hand, a driver’s license provides you access to the roads and grants you the ability to drive on them. SSL facilitates encryption via the SSL protocol, it basically gives you permission to use secure connections. One is a vehicle in transit; one is data in transit—hey, let’s not try to go too deep into this metaphor.
The other function they both serve is to authenticate identity. And the issuing agency – the DMV or the Certificate Authority (CA) – occasionally need you to come back and check in so they can keep up to date information about you on record.
That’s especially important in the realm of cybersecurity. By default, the browsers that we use to navigate the web don’t trust individual websites. Browsers are designed to keep users safe and by virtue of that, they’re skeptical of everything and everyone. In order for a browser to trust a website, it needs to see that is has been authenticated by a trusted third party.
CAs represent that trusted third party. To be a trusted CA, you have to abide by rigorous standards set forth by the CA/Browser forum – which acts as the regulatory body for the industry – and any mistakes the CA makes can and will be used against it. That means that it’s in the CA’s best interest to keep up-to-date information on the sites it issues too because, for all intents and purposes, they’re vouching for those sites’ identities.
By making you renew at least every two years the CA can ensure that it has accurate identifying information on the company or organization it’s issuing to, in addition to making sure that the company still owns the registered domain. After all, domains change hands all the time.
Expirations and renewals just allow for good security hygiene on the part of the CAs. Not to mention…
Reason #2: Expiration Allows SSL Encryption Technology to Advance
The other reason SSL certificates need to expire is technical. Advances are being made on a regular basis with regards to the SSL/TLS protocol and encryption technology in general. In the coming months, the SHA-1 hashing algorithm will be completely deprecated and TLS 1.3 will be released.
That’s two MAJOR changes. SHA-1 has been known to be vulnerable for years and has been replaced by the more secure SHA-2 algorithm. TLS 1.3 is a completely new version of the TLS protocol. In order to be as secure as possible, SSL needs to be implemented with SHA-2 encryption and TLS 1.3.
Now think about what would happen if SSL certificates never expired. Yes, granted, it would be possible to update by re-issuing your certificate, but let’s be honest—a lot of companies and organizations install their SSL certificate once and leave it alone until it expires.
So, SSL that didn’t expire, or even SSL with validity periods of longer than two years (you used to be able to get up to five years), would eventually become insecure. Old, outdated ciphers, outmoded hashing algorithms, and other implementation issues would be commonplace. The SSL ecosystem as a whole would be a mish-mash of capabilities, as sites with newer certificates would be substantially more secure than sites with older ones.
Eventually, it would get to a point where the browsers would start removing support for various outmoded features and valid SSL certificates would be rendered useless because they could no longer make secure connections.
Having SSL certificates expire avoids all of that. By requiring everyone to purchase a new certificate at least once every two years, it forces sites to continually adapt the newest, most secure technology.
Expiration literally keeps you safer.