Security certificate lifespans to be reduced to 47 days by 2029 under new industry standard – News

The Certification Authority Browser Forum has voted to reduce Secure Sockets Layer/Transport Layer Security certificates to 47 days by March 2029, in a move that will radically alter existing security practices.

The forum is a consortium of certificate authorities, web browser vendors and other industry stakeholders that sets security standards and best practices for digital certificates used to secure websites. This move, initially proposed by Apple Inc. and endorsed by major players that include Google LLC, Mozilla and Sectigo Inc., is aimed at bolstering online security, promoting automation in certificate management, and preparing systems for quantum computing challenges.

Currently, SSL/TLS certificates have a validity of 398 days, with the proposed change to 47 days to be phased in through a series of reductions. From March 2026, maximum certificate validity will be reduced to 200 days, then 100 days in March 2027, followed by a reduction to 47 days in March 2029.

The changes are being proposed to significantly strengthen internet security by reducing the risk of compromised or misused SSL/TLS certificates. Shorter certificate lifespans mean that even if a certificate or its associated private key is exposed or stolen, the window of opportunity for attackers is drastically reduced.

The idea is that short lifespans on certificates limit the potential for man-in-the-middle attacks, phishing attempts using fraudulent certificates and other threats that rely on the long-term validity of compromised credentials.

Another key driver behind the vote is the push toward automation in certificate management. The proponents argue that as lifespans shrink, manual renewal becomes impractical, especially for organizations managing hundreds or thousands of certificates. The shift encourages the adoption of automated Certificate Lifecycle Management tools and protocols like ACME, which streamline issuance and renewal processes.

The changes are also said to be part of a broader effort to prepare for the future of cryptography in a post-quantum world. Shorter certificate lifespans increase crypto agility, making it easier to roll out stronger algorithms and respond quickly to evolving threats.

It sounds all very well and good and there’s no argument that addressing security challenges is important. But every website, from corporate to a local grandma writing about history, needs an SSL certificate for their website. A multibillion-dollar corporation such as Apple might be fine with updating certificates every 47 days, but whether intentional or not, the move doesn’t favor small creators.

But it’s not just small creators who may be affected. Many larger organizations also face a surge in administrative burdens. Shorter certificate lifespans mean renewals happen more frequently, potentially every six to seven weeks. Without reliable automation in place, that could lead to more human error, service disruptions from expired certificates and an increased burden on information technology teams already stretched thin.

There is also the cost involved: Automated certificate lifecycle management isn’t free, and though some certificate providers may adjust pricing models to accommodate shorter terms, others may not, potentially leading to higher overall costs. For businesses managing large numbers of domains and particularly for managed service providers, the cumulative expense and resource allocation could be significant.

The costs and potential disruption aside, the move has not surprisingly been well-received by certificate providers.

“With the CA/Browser Forum’s approval to shorten TLS certificate validity periods to 47 days, companies no longer have a choice whether to automate their certificates,” Mohit Kumar, vice president of product management at certificate authority company GlobalSign Inc., told News via email. “This much tighter lifecycle now forces organizations to stay proactive and vigilant about their certificate management to reduce the likelihood of breaches caused by stale or mis-issued certificates. As this new rule is phased in over the next few years, it is in the best interest of organizations to choose an automation vendor sooner rather than later in order to be prepared for this significant shift.”

Image: News/Reve