By Stephanie Mitchell, marketing manager
Ken Linscott, product director | Domains and Security
Share this post
Apple announced its decision to trust only one-year digital certificates on its Safari browser in February 2020. This decision created a domino effect, with Mozilla® and Google® following suit; certificate providers announced they would not issue two-year certificates after Aug. 19, 2020. We wrote an article in March to help brands to prepare for this change.
After Sept. 1, 2020, only one-year digital certificates will be trusted on ChromeTM browser, Safari®, and Firefox®. With less than a month until this date, it’s important for brands to make sure that they’re ready for this change. In this article, we offer our recommendations to ensure that you’re fully prepared for the transition of your certificates.
Our simple four-step advice is account, consolidate, secure, and automate.
Ask yourself if your brand has a full accounting of its digital certificates by answering these questions:
- How many, and what types of certificates do you have?
- With which certificate authority are they registered?
- Who has permission to administrate these certificates?
- When are the renewal dates for each certificate?
If you don’t have an answer to all of these questions, you’re at risk of having digital certificates that aren’t accounted for.
As the frequency of replacing certificates increases, so does the risk of missing the replacement of a vital asset supporting your online business operations. If this happens, you’ll be unable to process secure transactions on that site, costing you traffic, revenue, and consumer trust.
CSC advocates consolidating your digital certificates with one provider and using Certificate Authority Authorization (CAA) records to best manage your certificates and control the permissions for issuing any certificates. Adding CAA records supports the consolidation of your providers, reduces the overall cost of management, and greatly reduces the risk of an unexpected expiration—an infinitely higher risk when you have multiple providers.
It’s important to consider the validation level of your digital certificates and the impact it has on your consumers and their confidence in the security of your sites. At CSC, we recommend considering Organization Validation (OV) certificates for your vital domains, as these go through a three-step verification process. Extended Validation (EV) certificates have the most stringent verification criteria, but can be more expensive and take longer to process. Both OV and EV certificates are preferable to Domain Validated (DV) certificates, which can be obtained by anyone with a credit card and who can be proven to own the domain in question.
The easiest way to deal with the increased frequency of renewals is to automate. If you have an extensive portfolio of domains, after Sept. 1, your renewals workload will double. Automated certificate monitoring, renewal, and replacement will make your life easier, and avoid the risk of an unexpected expiration.
 The lifetime of the certificate will include extra time for renewal, so the actual validity period will be 398 days.