Finalized Plans to Shorten SSL Certificate Validity Periods
It is now officially confirmed: the lifespan of SSL certificates will gradually be shortened over time. After years of discussions, which included several proposed changes that were ultimately rejected, the members of the CA/Browser Forum have approved a timetable to implement these changes by majority consensus.
Below is the detailed schedule outlining how the validity periods of newly issued certificates will change based on issuance dates:
| Certificates issued after | Certificates issued before | Maximum validity duration |
| [No date specified] | March 15, 2026 | 398 days |
| March 15, 2026 | March 15, 2027 | 200 days |
| March 15, 2027 | March 15, 2029 | 100 days |
| March 15, 2029 | [No date specified] | 47 days |
Additionally, a second roadmap has been outlined, focusing on how long validated data used during certificate registration can be reused.
Data Reuse Policies for Different Types of Information
For personal data, the schedule is as follows:
| Certificates issued after | Certificates issued before | Maximum reuse period |
| [No date specified] | March 15, 2026 | 825 days |
| March 15, 2026 | [No date specified] | 398 days |
For domain names and IP addresses, the timeline looks like this:
| Certificates issued after | Certificates issued before | Maximum reuse period |
| [No date specified] | March 15, 2026 | 398 days |
| March 15, 2026 | March 15, 2027 | 200 days |
| March 15, 2027 | March 15, 2029 | 100 days |
| March 15, 2029 | [No date specified] | 10 days |
These standards, known as the “basic requirements” of the CA/Browser Forum, are expected to be followed by all public certificate authorities to ensure compliance.
Automating Certificate Lifecycles: A Strategic Move
Major technology companies like Apple and Google are key supporters of this initiative. Their primary goal is to enhance the reliability of certificates and reduce potential misuse—such as exploiting orphaned domain names. Moreover, they see this as an opportunity to accelerate the move towards automated management of the entire certificate lifecycle. This automation approach aims to address the current limitations of certificate revocation services, which are overwhelmed given the size and complexity of the modern web.
While there is general acknowledgment among CA/Browser Forum members that automation is inevitable, concerns about the costs involved remain. Some cite success stories that suggest the transition will bring cost savings by eliminating the direct expenses of manual management and reducing downtime caused by misconfigurations or failures.
Roadmap for Transition and Its Challenges
Cisco, one of the voting members supporting the move, emphasized the importance of establishing a clear transition plan. This plan should involve several phases:
- Understanding the current systems and processes
- Analyzing how automation aligns with internal policies, regulations, and change management standards
- Planning the necessary budget and resources
- Assessing potential incompatibilities with existing systems
Although no member opposed the proposal, some abstentions highlight different concerns. These include:
- MOIS, worried about possible disruptions to service continuity
- IdenTrust, skeptical about security benefits for certain types of certificates
- JPRS, questioning the feasibility of the overall plan
- TWCA, considering a validity period of 47 days too aggressive, since current mechanisms do not clearly demonstrate benefits over 100-day certificates
Historical Context of Certificate Validity Periods
In 2023, Google proposed reducing certificate validity to 90 days but was unsuccessful. The current proposal of 47 days originates from Apple, which advanced this idea in 2024.
Historically, electronic certificates had a lifespan of 8 to 10 years, and in 2012 this was cut to five years. The current trend continues to minimize this duration further, aiming for shorter periods to enhance security and manageability.
