SSL Certificate News & Information
Mandatory CAA (DNS) Checking
From 7th September 2017, all CAs are now required to check the domain name's
DNS for a CAA record prior
to issuing any SSL certificates for that domain.
If you have configured CAA records in your domain name's DNS, only the CAs listed may issue SSL certificates for your domain.
If you have no CAA records in your DNS, any CA can issue SSL certificates for your domain.
DigiCert to Acquire Symantec
At the beginning of August 2017, DigiCert announced
its agreement to acquire Symantec's website security business, including the SSL/TLS and the IoT business.
DigiCert announced this very swiftly as they are hoping "that this agreement will satisfy the needs of the browser community" in relation to Google's plans to distrust the Symantec root certificate in the Chrome browser.
It is reported that the deal is for $950m USD plus a 30% share of DigiCert.
This is expected to complete in the last half of 2018.
Distrust of Symantec Certificates by Google
Google are to distrust all Symantec SSL certificates (issued before 1st June 2016) in their Chrome browser, from 8th August 2017.
In March 2017, Google and Mozilla found Symantec had mis-issued 127 SSL certificates (against industry rules set by the CA/B Forum) but after further investigation the number rose to 30,000
Mozilla, Microsoft and Apple were considering options but allowed Google conduct the investigation alone.
Symantec denied mis-issuing any certificates.
However, Symantec will now have to partner with another CA who will issue the certificates on behalf of Symantec.
There is talk of Symantec exploring the idea of selling its CA business
The GeoTrust, Thawte, and RapidSSL brands (owned by Symantec) are also affected.
Anyone with an certificate issued before 1st June 2016 must re-validate the replacement order and have the SSL re-issued and re-installed.
Comodo removes free non-www SAN
All previous orders for Comodo Single Domain SSL certificates for www. have secured the base domain (non-www.), until now.
Like the majority of CAs, Comodo gave this for free, by adding it to the SAN.
For example: a previously ordered certificate for www.example.com would also secure example.com as Comodo added this for free to each order.
This has now changed. Instead they will add the www. element to the SAN for an order of the base domain (non-www.)
For example: a new certificate order for example.com will also secure www.example.com as Comodo will now add this for free to each order.
For Comodo Wildcard certificates, the base domain will not be added and therefore cannot be protected with a Wildcard SSL certificate.
Of course, all previously issued SSL certificates will continue to work until re-issue or re-new.
UPDATED July 2017:
Comodo have decided to pause the new updates for the www. and non-www. SAN
Wildcard SSL certificates will still have the base domain included and all Single Domain SSL certificates for www. will secure the non-www. base domain too.
Comodo Technical Issues
Comodo experienced technical issues resulting in loss of all services for 20 hours between 10th and 11th May 2017.
This unfortunately resulted in the loss of all orders from 3rd May to 11th May 2017.
Comodo were able to replace all of these orders on 12th May and added an extra 90 days as goodwill to all affected orders.
UPDATED May 2017:
On 18th May Comodo had to revoke all orders placed between 3rd May and 11th May 2017.
If your certificate was issued between 3rd May and 11th May 2017, it will be revoked with a replacement order being created on 12th May.
The revoked certificates cannot be used and you will need to collect the replacement SSL certificate.
Anyone with an order issued between these dates must re-validate the replacement order and have the SSL re-issued and re-installed.
We apologise on behalf of Comodo for the inconvenience, which of course is out of our control.
Deprecation of 3 year SSL Certificates
A recent change to the CA/B Forum Baseline Requirement will soon prevent issuance of 3 year SSL certificates.
From 1st March 2018, the maximum validity period will be 27 months for all SSL Certificates.
This 27 months limit imposed by the CA/B Forum allows for a 2 year certificate to be renewed upto 3 months prior to the expiry date, without loss of validity time.
Distrust of SHA-1 Certificates
All major web browser manufacturers will being disabling support for SHA-1 certificates from publicly-trusted certificate authorities in early 2017.
If your SSL certificate is using SHA-1 then you will need a re-issue to obtain a SHA-2 certificate before the end of this year.
SSL Increases Google SEO Rankings
Google has again made minor updates to its search algorithm and now all websites using SSL will benefit.
If you have a valid SSL certificate installed, this will increase your Google SEO and in return you will gain more traffic due to a higher ranking.
Although SSL certificates provide a minor rankings increase from Google, the content quality remains the major factor, but it all helps to improve the sales and conversions.
Deprecation of 4 and 5 year SSL Certificates
A recent change to the CA/B Forum Baseline Requirement will soon prevent issuance of 4 and 5 year SSL certificates.
From 1st April 2015, the maximum validity period will be 39 months for all SSL Certificates.
This 39 months limit imposed by the CA/B Forum allows for a 3 year certificate to be renewed upto 3 months prior to the expiry date, without loss of validity time.
You may order a 4 year SSL certificate up to 1st March 2015 but if any re-issues are necessary after 1st April 2015, it will be truncated to 39 months. You must ensure you backup your certificate and the key to prevent this.
Removal of SHA-1 Certificates
Most SSL certificates issued today are created with a hash algorithm called SHA-1, which is now almost 20 years old.
With advances in hardware and therefore computing power, the feasibility of successful collision attacks is increasing.
Therefore CAs should begin to use the a stronger SHA version, particularly SHA-2 (or SHA-256).
SHA1 SSL certificates will still be available for compatibility reasons, but only if requested, and cannot be used for any certificate which expires after 1st January 2017.
Comodo Multi-Domain Wildcard SSL
Comodo have announced the addition of their Multi-Domain Wildcard SSL.
This is an industry first, for a CA to issue a multi-domain SSL with wildcard capabilities.
Aimed at customers with many domains and sub-domains to secure, it is capable of securing up to 100 domains together with the unlimited subdomain capability of a wildcard SSL certificate.
Wildcard domains can be added to the SANs (multi-domain element) of the certificate.
New Symantec WildcardSSL Certificate
Symantec have announced the addition of a new Wildcard SSL certificate to their range of highest level 256-bit encryption Symantec SSL certificates.
This is the most expensive SSL certificate we are aware of, so perhaps it is only within the reach of large enterprises or government entities.
Dutch CA DigiNotar Hacked
A security breach at DigiNotar has resulted in the issuance of more than 500 fraudulent SSL certificates.
All major web browsers have since blacklisted all DigiNotar issued certificates and the DigiNotar roots have been removed also.
Finally, DigiNotar was declared bankrupt.