(10 votes, average: 4.60 out of 5, rated)
One of the most misunderstood – and oftentimes complained about – aspects of SSL is the fact that the certificates have expiration dates.
Why is that?
This isn’t like a carton of milk or some kind of foodstuff that you’re worried about it spoiling. ‘There shouldn’t be a shelf life!’
And frankly, that’s not an unreasonable line of thought. SSL Certificates facilitate secure connections between clients and servers. Adding an arbitrary expiration date that forces you to renew within a certain time period seems unnecessary—like a cash grab even.
In fact, if you follow that line of thought all the way to its conclusion you may even become downright angry. ‘Hey, this whole SSL thing is a racket—isn’t it?’
Though it could certainly look that way, SSL Certificate expiration serves two very important purposes in the SSL ecosystem. Let’s take a closer look.
SSL Certificates serve two primary functions, we already touched on the first – facilitating encrypted connections – but the second, sometimes less understood function is authentication.
You see all three validation levels require some form of authentication— whether it’s a quick check over domain ownership or an extensive business vetting. This authentication is what helps sites establish their identity on the internet as consumers can check and see the business details associated with the companies and organizations that own the websites they visit.
Like with any form of ID, occasionally it needs to be updated. Think about it, any driver’s license or passport also comes with an expiration date. It’s important to keep the identifying information up to date. Maybe you moved to a new address or are now at a different phone number. Maybe you changed your official name. At the very least you need to update the photograph—after all, you’re a bit older now than you were when that picture was taken (technically, this is true of all photographs).
The point is that the Certificate Authorities that are issuing your SSL Certificates are vouching for your identity—that’s the only reason the browsers trust your website in the first place. So given that it’s their name on the line, it’s within the CA’s best interest to occasionally double-check your information and make sure everything’s up to date.
Because if it’s not, if there are any mistakes made or a mis-issuance—the browsers aren’t going to penalize you, they’re going to penalize the CA.
So the biggest reason for SSL Certificate expiration is to allow the CAs to keep up to date identifying information. But this also carries the added benefit of helping to prevent mistakes. After all things change quickly on the internet. Domains change hands all the time. Now think about what would happen if the old owner still had access to a working SSL Certificate for that domain—all the problems that could cause.
That’s why mechanisms like certificate transparency, revocation lists and expiration dates exist—to prevent that sort of malfeasance.
The other reason certificates expire is simple: progress. If you never had to replace your SSL Certificate with a new one you would never adopt the new technology and advances in security that have been implemented since your original purchase date.
This means that certificates using outmoded encryption protocols (like SSL 2.0 and 3.0 or TLS 1.0) would become vulnerable to attacks and exploits. In turn, that would make the entire SSL ecosystem less safe while also reducing consumer confidence. It would be bad for the entire SSL Industry.
Just last year the SSL Industry mandated that all SSL Certificates use the newer, more secure SHA-2 Hashing Algorithm. Because SSL Certificates expire, within a year or two (though likely faster, given that the browsers are dropping SHA-1 support) all SHA-1 certificates will have expired and been replaced with SHA-2 certificates and the migration will be complete.
Now, think about what a challenge a large industry-wide shift would have presented if these certificates didn’t expire. It would have been a nightmare. Well, more of a nightmare. For many companies and organizations with outdated infrastructure or that still make use of legacy devices and systems—it’s already been rough.
The point is that by ensuring you’ll have to replace your certificate within two years (at the longest) the SSL industry is also able to make sure that you’re updating your implementations and taking advantage of new advances on at least a semi-regular basis.
We get it; at first glance it may seem a bit strange that a digital certificate would need to expire every two years.
But, as you’ve seen, there’s actually some good reasoning behind this practice, both from the standpoint that, as a CA, it’s important to keep up to date identifying information on the websites you’re issuing to and also because expiration allows for better proliferation of new advances in encryption technology.
It may not seem like it when you’re ponying up for a new SSL Certificate every two years—but this is for your own good.