CA/Root CA Lifecycles
Root CA Lifecyles (Draft)
The following language will be in Section 7.4 of version 2.9 of the Mozilla Root Store Policy.
For a root CA certificate trusted for server authentication, Mozilla will remove the websites trust bit when the CA key material is more than 15 years old. For a root CA certificate trusted for secure email, Mozilla will set the "Distrust for S/MIME After Date" for the CA certificate to 18 years from the CA key material generation date. The CA key material generation date SHALL be determined by reference to the auditor-witnessed key generation ceremony report. If the CA operator cannot provide the key generation ceremony report for a root CA certificate created before July 1, 2012, then Mozilla will use the “Valid From” date in the root CA certificate to establish the key material generation date.
Transition Schedule
For transition purposes, root CA certificates in the Mozilla root store will be distrusted according to the following schedule:
Key Material Created | Removal of Websites Trust Bit | Distrust for S/MIME After Date |
Before 2006 | April 15, 2025 | April 15, 2028 |
2006-2007 | April 15, 2026 | April 15, 2029 |
2008-2009 | April 15, 2027 | April 15, 2030 |
2010-2011 | April 15, 2028 | April 15, 2031 |
2012- April 14, 2014 | April 15, 2029 | April 15, 2032 |
April 15, 2014 - present | 15 years from creation | 18 years from creation |
This schedule is subject to change if underlying algorithms become more susceptible to cryptanalytic attack or if other circumstances arise that make this schedule obsolete.
CA operators MUST apply to Mozilla for inclusion of their next generation root certificate at least 2 years before the applicable distrust date.