TLS Certificate Lifetime Update – What you need to know
The internet security landscape is about to undergo a major shift. On April 11, 2025, the CA/Browser Forum, a leading consortium of certificate authorities and browser vendors, voted to set a new timeline to progressively shorten the lifespan of TLS (Transport Layer Security) certificates.
The goal: to bring more security, encourage automation, and reduce risk across the web.
Internet security is essential to any company, from small businesses to enterprise organizations. This post will help you understand what is happening and how you can prepare for it.
What is changing with TLS?
Between 2025 and 2029, certificate expiration periods will be steadily reduced. Here’s the updated schedule:
- Current certificates until March 14, 2026 the maximum period during which domain validation information may be reused is 398 days.
- March 15, 2026: Certificates issued on or after this date will be valid for up to 200 days.
- March 15, 2027: Certificates issued on or after March 15, 2027, a validity cap of 100 days.
- March 15, 2029: Certificates issued on or after March 15, 2029, will expire within 47 days of issuance
Additionally, the reuse period for domain ownership checks (Domain Control Validation or DCV) is set to drop to 10 days, adjusting the window during which domain validation remains valid.
Behind the Decision: The Role of the CA/Browser Forum
The CA/Browser Forum is a collaborative group that brings together certificate issuers and browser developers to set the standards for issuing and managing digital certificates. Their decisions shape the foundation of online encryption and trust. This forum is crucial in addressing security threats, meeting industry demands, and adapting to technological advancements. The proposal for significantly shorter certificate lifetimes was overwhelmingly approved. All 25 certificate issuers voted in favor, while Entrust, IdenTrust, Japan Registry Services, SECOM Trust Systems, and TWCA abstained. On the consumer side, major tech companies like Apple, Google, Microsoft, and Mozilla unanimously supported the change.
Benefits of Shorter Certificate Lifespans
- Reduces the Impact of Compromise
Shorter certificates mean less time for bad actors to exploit any that are stolen or misused. - Less Dependence on Revocation
Since certificates expire more quickly, the need for complex revocation systems is reduced. - Pushes Automation Forward
Regular renewals encourage organizations to automate certificate management, reducing the possibilities of errors or outages. - Future-Readiness
This change sets the stage for quicker industry adaptation when cryptographic methods become outdated or need replacement.
Challenges Ahead
- Heavier Workload Without Automation
Companies not yet using automation tools may struggle to keep up with frequent renewals. - Modernization Requirements
Outdated systems may require upgrades to support seamless certificate issuance and renewal cycles. - More Moving Parts to Monitor
As the volume of short-lived certificates increases, so does the complexity of managing them.
Looking Ahead
The CA/Browser Forum’s timeline sets a clear path forward. While it will demand changes in how organizations handle TLS certificates, the expected gains in security and reliability are substantial. Businesses are advised to begin preparing now by investing in automation platforms and updating systems that rely on certificate-based encryption.
This change underscores a wider industry trend towards creating a more robust and flexible security framework, one that is better equipped to address both current and future threats.
Working together
Looking for a partner to help guide you through these (and other) changes? AppsAssurance, managed services by Apps Associates, helps you stay ahead of the curve of technology and security updates. Let our experts be your guide.
References:
- TLS Certificate Lifetimes Will Officially Reduce to 47 Days | DigiCert
- Industry Leaders Approve the Move to a 47-Day SSL Certificate Validity Period – InfoSec Insights
- TLS Certificate Lifetimes Will Reduce to 47 Days :: TLS Certificate Lifetimes Will Reduce to 47 Days :: GlobalSign
- Apple Pushes for Shorter Certificate Lifespans, Shortening to 47 Days by 202