CA/Browser Forum has approved a proposal to reduce the maximum validity of SSL/TLS certificates from the current 398 days to just 47 days by 2029.
The measure, initially proposed by Apple and endorsed by Sectigo, will be implemented in phases over the next four years, marking a significant shift in digital certificate management practices.
The reduction in certificate lifespans will be rolled out gradually:
.png
)
- March 15, 2026: Maximum certificate validity reduces to 200 days, aligning with a six-month renewal cycle. Domain Control Validation (DCV) reuse periods will also shrink to 200 days.
- March 15, 2027: Lifespans are further shortened to 100 days, accommodating a three-month renewal cadence. DCV reuse periods will drop to 100 days.
- March 15, 2029: Certificates will have a maximum validity of just 47 days, requiring monthly renewals. DCV reuse periods will reduce drastically to only 10 days.
Three key objectives drive the initiative:
- Enhanced Security: Shorter lifespans limit the exposure of private keys to potential threats, reducing risks such as man-in-the-middle attacks and data breaches. Compromised certificates will expire faster, minimizing their utility for attackers.
- Encouraging Automation: Frequent renewals necessitate automated certificate lifecycle management solutions, reducing reliance on manual processes that are prone to errors and delays. This shift is expected to accelerate the adoption of emerging security technologies and cryptographic algorithms.
- Preparing for Quantum Computing: With quantum computing posing future threats to cryptographic security, shorter certificate lifespans promote crypto agility, enabling quicker adoption of stronger algorithms and compliance with evolving standards.
Industry Reactions
The proposal has received unanimous support from major browser vendors, including Apple, Google, Mozilla Foundation, and Microsoft. Sectigo CEO Kevin Weiss hailed the decision as a “pivotal advancement” for internet security while emphasizing the need for automation in managing frequent renewals.
Tim Callan, Chief Compliance Officer at Sectigo and Vice Chair of the CA/Browser Forum highlighted the operational challenges posed by shorter certificate lifespans but underscored their importance in preparing for quantum-era threats. “Organizations must embrace automated solutions to ensure seamless renewals and avoid service disruptions,” Callan stated.
While the move strengthens security, it introduces operational complexities for enterprises reliant on manual renewal processes. System administrators have expressed concerns over increased workloads, particularly in environments with complex systems or multiple domains.
Businesses must prepare for this transition by updating their infrastructure and adopting automation solutions. The gradual implementation timeline provides a window for adaptation, but enterprises that fail to modernize risk compliance breaches and service outages.
As the industry moves toward shorter certificate lifespans, this change represents not just a technical adjustment but a fundamental shift in how digital trust is managed, ensuring stronger security for an increasingly interconnected world.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
