News

TLS certificate lifetime will be officially reduced to 47 days

The CA/Browser Forum approved an amendment that will officially shorten the validity of TLS certificates to 47 days. This change will take effect in stages starting in March 2026.

September 19, 2025

The CA/Browser Forum has officially voted to modify the TLS Baseline Requirements to establish a timeline that shortens the lifetime of TLS certificates and allows for the reuse of CA-validated information in certificates. The initial impact of the vote on users will occur in March 2026.

The vote was extensively discussed in the
CA/Browser Forum
and went through several versions, incorporating comments from certification authorities and their clients. The voting period ended on April 11, 2025, closing a hotly contested chapter and allowing the certification industry to plan for the future.

The new TLS certificate lifespan schedule

The new vote establishes a 47-day validity for certificates, making automation essential. Prior to this
Apple proposal, Google advocated for a maximum validity of 90 days, but voted in favor of Apple’s proposal almost immediately after the voting period began.

Here is the schedule:

  • The maximum certificate lifetime is decreasing:

    • From today until March 15, 2026, the maximum lifespan of a TLS certificate is 398 days.

    • Starting March 15, 2026, the maximum lifetime of a TLS certificate will be 200 days.

    • Starting March 15, 2027, the maximum lifetime of a TLS certificate will be 100 days.

    • Starting March 15, 2029, the maximum lifetime of a TLS certificate will be 47 days.

The maximum period during which domain and IP address validation information can be reused is decreasing:

  • From now until March 15, 2026, the maximum period during which domain validation information can be reused is 398 days.

  • As of March 15, 2026, the maximum period for which domain validation information can be reused is 200 days.

  • Starting March 15, 2027, the maximum period for which domain validation information can be reused is 100 days.

  • Starting March 15, 2029, the maximum period during which domain validation information can be reused is 10 days.

As of March 15, 2026, Subject Identity Information (SII) validations can only be reused for 398 days, instead of 825. The SII refers to the company name and other information contained in an OV (Organization Validated) or EV (Extended Validation) certificate; that is, everything except the domain name or IP address protected by the certificate. This does not affect DV (Domain Validated) certificates, which do not have SII.

Why 47 days?

47 days may seem like an arbitrary number, but it’s a simple cascade:

  • 200 days = 6 maximum months (184 days) + 1/2 month of 30 days (15 days) + 1 day of margin of maneuver

  • 100 days = 3 maximum months (92 days) + ~1/4 of a 30-day month (7 days) + 1 day of leeway

  • 47 days = 1 month maximum (31 days) + 1/2 month of 30 days (15 days) + 1 day of margin of maneuver

Apple’s justification for the change

In the vote, Apple presented numerous arguments in favor of these measures, with one being the most prominent. They claim that the CA/B Forum has been advising the world for years, through consistently reducing the maximum lifetime, that automation is essential for effective certificate lifecycle management.

The vote argues that shorter durations are necessary for many reasons, the most important of which is that the information contained in certificates becomes increasingly unreliable over time, a problem that can only be mitigated by frequently revalidating the information.

The vote also argues that the revocation system using CRLs and OCSP is unreliable. In fact, browsers often ignore these features. The vote includes an extensive section on the shortcomings of the certificate revocation system. A shorter lifetime mitigates the effects of using potentially revoked certificates. In 2023, the CA/B Forum took this philosophy to the next level by approving short-lived certificates, which expire in 7 days and do not require CRL or OCSP support.

Clearing up confusion about the new rules

There are two points about the new rules that are likely to cause confusion:

  • The three years for the rule changes are 2026, 2027, and 2029, but the gap between the second set of years is two years.

  • Starting March 15, 2029, the maximum lifetime of a TLS certificate will be 47 days, but the maximum reuse period for domain validation information will be only 10 days. Manual revalidation will still be technically possible, but doing so would be a guarantee of failure and outages.

As a certificate authority, one of the most frequently asked questions we receive from our customers is whether they will be charged more for replacing certificates more frequently. The answer is no. The cost is based on an annual subscription, and we’ve found that once users adopt automation, they often voluntarily opt for faster certificate replacement cycles.

For this reason, and because even the 2027 changes to 100-day certificates will make manual procedures unsustainable, we expect rapid adoption of automation well before the 2029 changes.

Apple’s declaration of automated certificate lifecycle management is indisputable, but it’s something we’ve been preparing for for a long time. DigiCert offers multiple automation solutions, including support for ACME. DigiCert’s ACME enables automation of DV, OV, and EV certificates, and includes support for ACME Renewal Information (ARI).

You can contact us for more information on how to get the most out of Discovery & Automation.

Source: DigiCert

Contact Us

for more information about our solutions and products.

Contact