Common Criteria Certificate Validity
Common Criteria Expired Certificates
15 expired and archived Common Criteria certificates tracked across CCRA, EUCC, SESIP, PSA Certified, ESA, EMVCo and MIFARE. Below: how long CC certificates typically last, which schemes have the most expired certificates, and the year-by-year expiry trend.
How long does a Common Criteria certificate last?
Most CC certificates are issued for 5 years and may be extended via maintenance updates. The histogram below shows the actual distribution from 15 expired and archived certificates. Median validity period: 5 years.
- 1-3 years 1
- 4-5 years 14
- 6-7 years 0
- 8+ years 0
Expired certificates by scheme
Total expired or archived certificates per scheme.
- CCRA 15
Expired certificates by EAL
Distribution of expired certificates across Evaluation Assurance Levels.
- EAL2 4
- EAL3 3
- EAL4 3
- EAL5 2
- EAL7 1
Expiry year trend
Number of certificates expiring (or already expired) per year.
- 2026 15
About Common Criteria certificate expiry
Common Criteria (ISO/IEC 15408) certificates are issued with an explicit validity period, typically 5 years from the certificate's date of issue, though the period varies by scheme and Protection Profile. After expiry, the certificate is no longer valid for procurement claims unless the vendor has obtained a maintenance update or a fresh re-evaluation. Some schemes archive expired certificates rather than delisting them entirely; archived certificates remain in the public record but cannot be cited as active evidence.
Many procurement frameworks accept maintenance updates (also called assurance continuity) as proof that a previously certified product still meets its Security Target. NenkinTracker tracks maintenance update events alongside the original certification, so a product whose base certificate is expired but whose maintenance updates are current still surfaces correctly.