Skip to content

Back to blog

Why SSLMate Sells Only One Year Certificates

Traditionally, SSL certificates have been sold for terms as long as five years. Such long term certificates are often favored by web site operators who don't want to deal with the hassle of renewing certificates every year. Indeed, renewing certificates is often burdensome, especially when you manage a large number of certificates spread across many different servers.

However, long term certificates are bad for security, and might not even remain valid for their entire term. As a case in point, consider the Web's current transition away from SHA-1 certificates. Google recently announced that SHA-1 certificates with an expiration date after January 1, 2017 will receive a warning indicator in Chrome starting later this year, and will be treated as "affirmatively insecure," which a red cross through the "https," starting in the first half of 2015. That means that a five year certificate purchased on January 2, 2012 will become effectively invalid barely more than three years after it was purchased. Website operators who bought such certificates will need to reissue or prematurely renew these certificates.

This is a consequence of the evolving nature of cryptography. Although cryptographic algorithms are considered secure when they're first deployed, subsequent research can uncover weaknesses. Even SHA-2, which the Web is moving to now, could suffer a breakthrough that requires transition to a new hash algorithm. A breakthrough could even render RSA insecure, requiring the generation of new keys and certificates using elliptic curve cryptography.

For these reasons, SSL certificates should be renewed yearly to ensure that they are kept up-to-date with the latest best practices. To make this practical, SSL certificate vendors should make renewals as easy and as automated as possible. This is the philosophy that SSLMate follows. SSLMate sells only one year certificates, and we offer unparalleled automation to make renewals easy.

It's worth nothing that Google uses a similar approach internally. SSL certificates for Google websites have a lifetime of only three months. Of course, Google has heavily automated the process of certificate renewal. SSLMate wants to do the same for people who are not Google.

Looking ahead to the future, certificate lifetimes should be even shorter than a year, possibly on the order of days. The most desirable property of short-term certificates is that they solve the certificate revocation problem. Although it's possible to revoke certificates before they expire, the process of checking a certificate's revocation status is fraught with problems and provides scant protection against the malicious use of a compromised private key. With short-term certificates, you don't have to worry about revocation since you can just wait out the expiration if a key is compromised.

Of course, SSL certificates that are valid for only days will need a whole new way of being purchased and managed. We will need new techniques, new tools, and new infrastructure. And that's what SSLMate is trying to build.