New SSL/TLS certs to each live no longer than 47 days by 2029

CA/Browser Forum – a central body of web browser makers, security certificate issuers, and friends – has voted to cut the maximum lifespan of new SSL/TLS certs to just 47 days by March 15, 2029.

Today the certificates, which underpin things like encrypted HTTPS connections between browsers and websites, are good for up to 398 days before needing to be renewed. Apple put out a proposal last year to cut the maximum time between renewals, and got support from Big Tech pals.

Their argument being that shorter renewal periods mean compromised or stolen certificates can be abused for at the most days or weeks rather than months before expiring. On the one hand, that may mean more purchases from certificate issuers for cert holders; on the other, Let's Encrypt provides perfectly good certificates for free and also helps automate the renewal process.

The vote on the much shorter lifetimes passed over the weekend with certificate issuers voting 25-0 for the proposal and five abstentions by Entrust, IdenTrust, Japan Registry Services, SECOM Trust Systems, and TWCA. The certificate consumers - Apple, Google, Microsoft, and Mozilla - voted unanimously in favor of the proposal.

The depreciation schedule is now as follows:

• March 15, 2026: Newly issued certificates, including their Domain Control Validation, aka DCV, will have to be renewed every 200 days.
• March 15, 2027: That lifespan will go down to 100 days.
• March 15, 2029: New SSL/TLS certificates will be limited to 47 days, and 10 days for DCVs.

"The industry’s unified support for reducing certificate lifespans to 47 days reflects a shared commitment to enhancing digital security and trust for all," said Tim Callan, chief compliance officer at Sectigo and vice-chair of the CA/B Forum.

"This pivotal and positive advancement for our industry underscores the importance of agility and proactive risk management in today’s threat landscape while preparing for the risks of the quantum era."

• Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months
• Sysadmins rage over Apple's 'nightmarish' SSL/TLS cert lifespan cuts plot
• DigiCert gives unlucky folks 24 hours to replace doomed certificates after code blunder
• Firefox's Mozilla follows Google in losing trust in Entrust's TLS certificates

In 2020 Apple unilaterally decided its software, primarily Safari, would no longer accept new HTTPS certificates that expired more than 13 months from their creation date, so its fight for shorter cert lifetimes has been rumbling on for a while.

"From a security perspective: I really like and understand that change," said one denizen of the Reddit Sysadmin forum, in response to the weekend vote.

"From a sysadmin and operations perspective: What a stupid change. In the perfect cloud native, fully automated fantasy land, this might work and not even generate that much overhead work. In the real world, this will generate lots of manual work. At least, until folks replace their legacy hardware and manufacturers patch their shit."

The gradual tightening of renewal deadlines is supposed to help companies adapt. It's increasingly clear IT admins are going to have to shift to automated systems for handling SSL/TLS certs in the coming years. ®