The Future of SSL: The Looming Challenge and How to Prepare for It
The recent decision by the CA/Browser Forum
marks
a turning point in the history of the internet trust ecosystem. By an overwhelming majority, browsers and certification authorities agreed to progressively reduce the maximum validity of SSL/TLS certificates to just 47 days by 2029.
Opinion piece by Néstor Markowicz, COO of CertiSur.
How did we get here?
The history of digital certificates is marked by a constant tension between security and operability. For years, certificate validity was reduced: from 5 years in the early days, to 3, then 2, and since 2020, a maximum of 1 year. This evolution responded to security incidents, breaches in Certification Authorities, and the need to prevent a compromised certificate from remaining active for too long.
Browsers, led by Apple, Google, and Mozilla, have been pushing these changes with the goal of strengthening the security of the ecosystem. The logic is clear: shorter certificates mean a shorter window of exposure in the event of a compromised password.
But this new leap is of an unprecedented magnitude.
The new schedule
The decision establishes a reduction in three stages:
- March 2026: maximum validity of 200 days.
- March 2027: reduced to 100 days.
- March 2029: The limit will be only 47 days.
This represents a structural change in the way organizations manage their digital trust infrastructure.
What does this mean for businesses?
The main consequence is clear: it will no longer be feasible to continue renewing certificates manually. With dozens or hundreds of certificates in an organization, such short validity cycles will make traditional management unviable.
The only way to adapt is by automating the certificate lifecycle: issuance, renewal, deployment, and monitoring. Companies must review their internal policies, audit their certificate portfolio, and adopt tools that automate these tasks securely and reliably.
In this context, having a reliable technology partner with solid experience in similar implementations is key to ensuring the project’s success. Choosing a strategic partner that understands the complexity of the PKI ecosystem, has robust discovery and automation solutions, and can support integration with the organization’s internal systems can make the difference between an orderly transition and a scenario fraught with operational risks.
Ignoring this change is not an option. An expired certificate means the downtime of critical services, operational disruptions, loss of reputation, and potential regulatory sanctions in sensitive sectors such as finance and healthcare.
A necessary (and possible) change
Although this change may seem disruptive, it’s also an opportunity to modernize digital identity management within organizations. The good news is that solutions exist, both in the public and private sectors, and allow us to anticipate these changes ahead of time.
The first step is to inform, the second is to diagnose, and the third is to automate.
This new paradigm challenges us to improve our processes and adopt more agile technologies. In the era of digital risk, trust is not static: it is built, renewed, and, above all, automated.
You can read a note on this topic on the DigiCert blog.