[Feature Request] Support CA/B Ballot 193 - 825-day certificate lifetime

[re-glaue]

To comply with rule set forth with ballot 193, CA's will now require SSL certs to be regenerated if they are purchased for terms beyond 825 days. My CA requires regeneration after 2 years. If I purchased an SSL Cert for 3+ years, I do not need to purchase a renewal, but I must regenerate the SSL cert at 2 years.

It should be distinguished in DomainMOD to which certificates need a purchase renewal, or just a regeneration renewal.

Proposal
"SSL Certificate Expiration" indicates when the installed SSL Certificate expires and must be renewed.
DomainMOD should support an additional attribute that is named something like "SSL Certificate Order Expiration".

Order Expiration could be left empty and default to Certificate Expiration. With this additional attribute, however, we can determine if we need to purchase a SSL renewal, or just regenerate a renewal without additional purchase.

Ballot 193 limits maximum lifetime for OV and DV certificates to about 27 months.
https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/

[chetcuti]

Thanks for posting this! I hadn't heard about this before, but I'll investigate and figure out how things can be tweaked with DomainMOD to accommodate.

[re-glaue]

Now the SSL max lifespan will be limited to 398 days.
This article talks about CAs implementing an SSL subscription plan or certificate lifecycle automation options to manage SSL certificates with shorter lifecycles. Customers are still able to purchase multi-year certificates and then re-issue them yearly.
https://www.thesslstore.com/blog/ssl-certificate-validity-will-be-limited-to-one-year-by-apples-safari-browser/