Obtaining and installing SSL certificates can be a lengthy process, especially if you have multiple websites and applications.
We got asked a lot of the question "Can I renew my SSL certificates for multiple years". Unfortunately, the answer is no and here is why.
TLS/SSL certificate validity periods are 398 days. They were reduced by the CA/B Forum starting Sept. 1, 2020
in response to Apple’s announcement stating they would not accept certificates for two-year validity periods.
Since then, browsers and devices from Apple, Google, and Mozilla would
show errors for new TLS certificates that have a lifespan greater than 398 days.
How long is the validity of SSL/TLS certificates?
The validity period of SSL/TLS certificates used to be 10 years, then reduced to 5 year, then 3 years.
Later on March 1, 2018, it was capped at two years for all SSL/TLS leaf certs.
Eventually on Septmber 1st 2020, the lifespan of SSL certificates became 398 days.
Why the shorter lifespan?
The shorter lifespan of SSL certificates seems to be a nightmare for site administrators with the more frequent renewals.
However, it shortens the time to organically roll out updates or changes.
A real-world example would be the SHA1-to-SHA2 transition which took 3 years.
With a 3 or 5 year validity, the old certificates with an outdated algorithm will not be replaced unless
the CA revokes them or forces the customer to re-issue.
It can take years before all of the old certificates are replaced.
When should I renew my SSL certificates?
You can renew your SSL certificates any time within 1 month of its expiration to not lose any time on it.
For example, if you SSL certificate expires on 7/1/2023,
you can renew it any time from 6/1/2023 to 7/1/2023. You can have the new SSL certificates that expire on 7/1/2024.
If you renew earlier on 5/1/2023 and with the maximum lifespan of the SSL/TLS certificates being less than 398 days, you will get
new SSL cerficiates expiring on 6/1/2024. You lose one month of time.
If you have lots of installation to do after obtaining the SSL certificates and do not mind losing some days on the validity of the SSL,
you may also choose to renew it early.