The CA/Browser Forum has officially approved a phased reduction in SSL/TLS certificate lifespans, aiming for a maximum validity of just 47 days by 2029.
The decision was made in April 2025, when the CA/Browser Forum approved Ballot SC-081v3, originally proposed by Apple. The ballot received 29 votes in favor and none opposed, signaling a strong consensus among certificate authorities and browser vendors for the new policy.
Phased Reduction Timeline
- March 15, 2026:
- Maximum certificate lifespan: 200 days
- Domain validation reuse: 200 days (down from 398 days)
- Organization validation reuse: 398 days (down from 825 days)
- Required renewals/year: 2× current frequency
- March 15, 2027:
- Maximum certificate lifespan: 100 days
- Domain validation reuse: 100 days
- Required renewals/year: 4× current frequency
- March 15, 2029:
- Maximum certificate lifespan: 47 days
- Domain validation reuse: 10 days
- Required renewals/year: 8× current frequency
The Reason Behind the Change
Shortening certificate lifespans is intended to reduce the security risks associated with long-lived certificates. Certificates valid for extended periods may rely on outdated information, use deprecated cryptographic algorithms, or remain active even after private keys have been compromised. By reducing lifespans, the industry encourages faster adoption of updated security standards and minimizes the window of vulnerability.
Benefits of Shorter Lifespans
- Enhanced Security: More frequent encryption key rotation limits exposure to compromised certificates
- Reduced Vulnerability Window: Less time for attackers to exploit compromised certificates
- Improved Agility: Faster adoption of new security standards
- Simplified Revocation: Less reliance on complex revocation processes
Challenges and the Automation Imperative
The parallel reductions in both certificate lifespans and validation reuse periods create compounded operational demands:
- Teams must now manage both more frequent renewals and increased validation workloads
- Manual processes become impractical at scale due to intersecting deadlines
- Error margins shrink with tighter validation windows
These challenges underscore the critical need for certificate automation.
SSL.com’s Automation Solutions
To address these challenges, SSL.com offers robust automation tools:
- ACME Protocol Support: A certificate lifecycle protocol for streamlined and automated certificate issuance and renewal.
- Comprehensive API: Ready-made integration solutions that can manage certificate lifecycles through:
- RESTful endpoints
- CI/CD platform integrations (GitHub Actions, Azure DevOps, Jenkins)
- Cloud HSM configurations
Preparing for the Future
- Assess Your Current State: Evaluate existing certificate management practices
- Implement Automation: Utilize SSL.com’s ACME support and API for efficient certificate lifecycle management
- Educate Your Team: Ensure your IT staff understands best practices for automated certificate management
- Stay Informed: Keep up with industry changes and adapt proactively
Conclusion
The shift to 47-day certificate lifespans is not just a challenge; it’s an opportunity to enhance your security posture and operational efficiency. By focusing on automation now, you can turn this industry shift into a strategic advantage.
While this transition may introduce operational challenges in the short term, it is ultimately designed to improve long-term web security, reliability, and trustworthiness by ensuring that SSL/TLS certificates reflect current, validated information at all times.
At SSL.com, we’re committed to providing the tools and support you need to thrive in this new era of digital security. Our automation solutions ensure you can meet the demands of shorter certificate lifespans while improving your overall security stance.
Don’t wait for the 47-day deadline to catch you off guard. Start your journey towards fully automated certificate management with SSL.com today.
Contact our team about SSL.com’s Certificate Management Solutions
