In a move to enhance internet security, the CA/Browser Forum (CA/B Forum) has approved a proposal to reduce the maximum validity period of SSL/TLS certificates from the current 398 days to just 47 days by March 15, 2029. This decision, initially proposed by Apple and endorsed by major industry players including Google, Mozilla, and Sectigo, aims to mitigate risks associated with long-lived certificates and encourage automation in certificate management.
According to their proposal, the transition to shorter SSL/TLS certificate lifespans will take place gradually over several years. Starting on March 15, 2026, the maximum validity period for certificates will be reduced to 200 days. This will be followed by another reduction on March 15, 2027, bringing the limit down to 100 days. Finally, on March 15, 2029, the maximum lifespan will be shortened to just 47 days, marking a significant shift in how certificate management is handled across the industry.
Additionally, the period during which domain validation information can be reused will decrease from 398 days to 10 days by 2029, necessitating more frequent revalidation processes.
The rationale behind this change is to enhance security by limiting the window during which a compromised certificate can be exploited. Shorter lifespans reduce reliance on certificate revocation mechanisms, which have historically been unreliable.
Some professionals express skepticism about the practicality and necessity of this change. For instance, Daniel V. Bailey questioned the lack of empirical evidence supporting the move, stating:
“Do…uh, we have hard data to show this is a good idea? I get the intent, for sure. Cert revocation checks just don’t work very well, and automated tools can help you renew your certificates automagically. It’s a pity that in practice, companies will have legacy systems and appliances where they can’t easily automate”.
Others highlight the potential operational challenges, particularly for organizations lacking automation capabilities. A Reddit user commented:
“I think the cost, including to public sector entities, of having to automate all cert rotations – combined with the complete lack of actual evidence (attacks this would have prevented) to sell it as a ‘security’ measure – will result in the government taking a good, hard, overdue look at the influence and gatekeeper power wielded by the unaccountable CA/BF cabal, by the time these deadlines come to pass”.
Proponents of reducing SSL/TLS certificate lifespans argue that shorter validity periods enhance security by limiting the window during which a compromised certificate can be exploited. As noted by Sectigo, shorter certificate validity periods reduce risks like private key compromise, misissuance, and revocation delays, thereby strengthening digital security.
Additionally, the move towards shorter lifespans encourages the adoption of automated certificate management. According to AppViewX, short-lived certificates necessitate frequent renewals, which are best handled through automation to prevent certificate expiry and outages. Automated solutions ensure seamless certificate lifecycle management, bolstering compliance, operational efficiency, and digital trust.
As the industry adapts to these changes, organizations will need to assess their certificate management practices and implement automation where possible to maintain security and compliance in the evolving digital landscape.
