The CA/Browser Forum has formally approved a phased plan to shorten the maximum validity period of publicly trusted SSL/TLS certificates from the current 398 days to just 47 days by March 2029.
The proposal, initially submitted by Apple in January 2025, aims to enhance the reliability and resilience of the global Web Public Key Infrastructure (Web PKI). The initiative received unanimous support from browser vendors — Apple, Google, Microsoft, and Mozilla — and overwhelming backing from certificate authorities (CAs), with 25 out of 30 voting in favor. No members voted against the measure, and the ballot comfortably met the Forum’s bylaws for approval.
The ballot introduces a three-stage reduction schedule:
- March 15, 2026: Maximum certificate lifespan drops to 200 days. Domain Control Validation (DCV) reuse also reduces to 200 days.
- March 15, 2027: Maximum lifespan shortens further to 100 days, aligning with a quarterly renewal cycle. DCV reuse falls to 100 days.
- March 15, 2029: Certificates may not exceed 47 days, with DCV reuse capped at just 10 days.
The changes are limited to certificates used for server authentication over the public internet and do not apply to private PKIs or use cases outside the scope of the TLS Baseline Requirements.
The rationale behind the decision is multifaceted. According to Apple’s proposal, certificates are a snapshot of validated data at a specific point in time. As time passes, the likelihood of divergence between a certificate’s contents and reality increases — especially in dynamic areas like domain ownership or organizational control. Shorter lifespans reduce this exposure window and diminish risks posed by compromised private keys, domain hijacking, or misissued certificates.
Moreover, the CA/Browser Forum acknowledges that current certificate revocation mechanisms — such as Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) — are insufficient for mitigating risks at internet scale due to privacy, latency, and reliability concerns. By enforcing shorter certificate durations, the system becomes less reliant on these flawed status-checking methods.
This move is also seen as a critical step toward preparing for the advent of quantum computing. Cryptographic agility — the ability to quickly adopt stronger cryptographic algorithms when needed — is easier to achieve in ecosystems where certificate replacement is already routine and highly automated.
While the decision passed with consensus, implementation will take place over several years, giving organizations time to prepare. The timeline allows businesses to adopt or enhance certificate lifecycle management (CLM) solutions that can handle frequent renewals, ideally in a fully automated fashion.
By 2029, all public TLS certificates must be renewed approximately every six weeks — far more frequently than today’s annual cycle. This could pose operational challenges for businesses relying on manual processes or legacy infrastructure.
To prepare, organizations should automate certificate management using tools that support ACME or enterprise-grade CLM platforms, monitor certificate inventory to ensure timely renewals and reduce the risk of outages, and closely follow changes to cryptographic standards and readiness for post-quantum algorithms.
Well, this is just annoying. As the owner of a small internet tech company that’s been in business for 20 years, I can vouch that certificate renewals are a hassle that occupies a couple days of our developer’s time every renewal cycle. Not so awful when the renewals are annual, but every 6 weeks? That’s just ridiculous! Maybe the maximum lifetime of a certificate should be half the time the company has been in existence…
tar.com/news/business-wire/20250414207334/cabrowser-forum-passes-ballot-to-reduce-ssltls-certificates-to-47-day-maximum-term