The maximum validity period of TLS/SSL certificates is currently at 398 days (13 months). The validity period was sheared from 10 years down to 5 years, to 2 years, and finally to 13 months, owing to the security concerns associated with protracted validity periods. An organization may undergo many changes over the course of 5 or 10 years–mergers and acquisitions, management shuffles, or employees leaving. In such a scenario, domain names are subject to change, and so are certificate ownerships. If a certificate that has a 5-year validity were deployed for the old domain name, it has to be revoked, and a new CSR has to be raised for the new domain. Sometimes, organizations may forget to revoke old certificates. The website may now have a different domain, but the old domain would still be valid because its certificate is still active. Hackers could use those domains to create their own websites that look like they belong to the organization. They can get unsuspecting people to visit those websites and surrender their data, which would go straight to the hackers’ systems.
Short validity periods also make it easier to roll out algorithm changes. For example, a few years ago, SHA-1 was deprecated in favor of SHA-2, and organizations with certificates that had a validity period of 3 or more years had to wait it out before they could adopt the new algorithm. This is because hashing algorithms are chosen during the time of certificate generation, and the only way to change them is to wait till the certificate expires and generate a new one with the latest algorithm. Short validity periods of 2 years offer the perfect work-around for this problem because no algorithm change ever happens within that duration, and when it eventually does the waiting time for adoption is made negligible by the short renewal cycles.