The CA/Browser Forum has voted to gradually reduce the lifespan of SSL/TLS certificates to 47 days over the next four years. The lifespan will be gradually reduced to 200, 100 and, from March 2029, only 47 days. This is a drastic reduction compared to the current 398 days. The measure has been unanimously adopted and should force companies to automate certificate renewals and improve online security.
The CA/Browser Forum is a partnership between certificate authorities (CAs) and software developers, including Google, Apple, Mozilla, and Microsoft. They have jointly and unanimously decided to reduce the lifespan of SSL certificates to just 47 days. The group hopes to increase the security of software and the internet by shortening the lifespan of SSL certificates.
With 25 votes in favor and none against, the Forum has drastically shortened the lifespan of SSL/TLS certificates.
Also read: Fortinet wants users of several SSL VPNs to update
Phased approach over four years
The current lifespan of 398 days will not be reduced all at once. Instead, a step-by-step approach has been chosen that gives companies time to adapt to the new reality:
- From March 15, 2026, the lifespan and DCV (Domain Control Validation) will be reduced to 200 days
- From March 15, 2027, there will be a further reduction to 100 days
- From March 15, 2029, the lifespan will be only 47 days and the DCV will be 10 days.
This gradual decrease will give organisations sufficient time to implement an automation process to renew the certificates.
Why this change?
SSL/TLS certificates are essential for secure online communication. They enable encrypted connections (HTTPS), preventing malicious parties from intercepting sensitive data such as passwords and credit card information. They also verify the identity of websites and guarantee that the information exchanged has not been tampered with.
The CA/Browser Forum sees several advantages to shortening the lifespan of certificates:
- Minimizing risks due to outdated certificate data
- Reduction of problems with outdated cryptographic algorithms
- Limiting exposure to stolen login details
- Encouraging automation in the renewal and rotation of certificates.
This approach will reduce the number of times websites have to deal with expired certificates, which currently regularly cause browsers to warn that connections are not private or secure.
Organizations must automate processes involving SSL certificates
This change will temporarily lead to additional management costs for organizations. After all, the shorter lifespan of certificates means they will have to be renewed more often. However, it does force organizations to automate the process of renewing SSL certificates. This is not very difficult, by the way. Various parties already offer solutions, including several cloud providers, Let’s Encrypt, and certificate providers that support the ACME protocol.
The majority of certificate authorities agreed that “the current timeframe of 398 days is too long in today’s security landscape. ” Switching to automated certificate management will ultimately make the ecosystem more flexible and secure.