The CA/Browser Forum recently took an official vote to amend the TLS Baseline Requirements, bringing certificate lifespans down to 47 days by 2029 through a series of gradual changes. This comes largely in response to a proposal from Apple, as well as a previous, similar proposal from Google to lower the lifespan to 90 days. The push from major companies is effective at spurring monumental change like this revolutionary policy change. Certificate lifespan is a crucial factor in fighting key compromise incidents, fixing mistaken certificates, ensuring consistency in active domain certificate ownership, and more. The upcoming change is a huge, historic step toward securing the internet and its encryption.
The Timeline: From 398 Days to 47
The current lifespan of certificates is 398 days, or over 13 months, opening up a wide range of opportunities for compromise and other risks throughout. The agreed-upon plan will reduce the maximum lifespan to 200 days in 2026, 100 days in 2027, and 47 days in 2029. These numbers are calculated based on 6-month, 3-month, and 1-month cycles. At the end of this gradual change, organizations will be required to renew their certificates almost every month.
Decreasing at the same time is the maximum window for reusing domain and IP address validation information. Rather than going down from 100 to 47 days in 2029, however, these windows will decrease to 10 days. The reduced time for certificates to be replaced will require organizations to make certain changes in order to achieve the greater security enabled by frequent certificate renewal.
The Security Argument
One of the main reasons for shortening certificate lifespans is improved security. A shorter validity period means there is a shorter window for the risk of stolen or misused private keys being abused. Certificate information grows less trustworthy and less secure over time, necessitating the frequent revalidation of certificates.
If a threat actor manages to compromise a key, a shorter certificate lifespan reduces the opportunity for them to leverage it for nefarious acts. This reduces the effectiveness of man-in-the-middle attacks and long-lived exploits, cutting down on the amount of damage that can be done after a compromise. The shorter certificate lifespan also enables better incident response and revocation agility.
Automation or Bust
When certificate lifespans are reduced to 47 days, manually renewing them each time quickly becomes unsustainable. Part of Apple’s proposal arguing in favor of this change pointed to the way that shorter lifespans will push organizations toward automating certificate lifecycle management where possible, as the CA/B Forum has long been advocating for. The shift to shorter lifespans incentivizes the adoption of ACME protocols and API-first workflows, automating certificate renewal. Much like in DevOps and CI/CD maturity, it is crucial to automate and streamline these processes in order to reap the benefits of these shorter lifespans without taking on onerous amounts of work.
Quantum Readiness and Crypto Agility
Another important factor in certificate lifespans is the need to foster cryptoagility and be prepared for the quantum era. “This pivotal and positive advancement for our industry underscores the importance of agility and proactive risk management in today’s threat landscape while preparing for the risks of the quantum era,” says Tim Callan, Chief Compliance Officer at Sectigo and Vice-Chair of the CA/Browser Forum.
The oncoming period of quantum-empowered computing will call for agile response and adaptable security tools, including certificate methods and requirements. Shorter-lived certificates enable quick adoption of post-quantum algorithms and greater flexibility in responding to evolving cryptographic standards. Certificate agility is a foundational pillar of quantum-safe security, and the upcoming shift will make it easier to adopt and adapt.
Industry Impact and Reactions
The shortening of maximum certificate lifespans is widely supported by industry leaders and major CAs like Apple and Sectigo. The popular support for this motion toward shorter lifespans will encourage organizations to proactively adopt the necessary policies and automation to achieve the desired result, fortifying industry-wide security against key compromise and enabling greater agility and adaptability moving forward.
Some enterprises, on the other hand, are concerned that the short certificate lifespans will be challenging to comply with while depending on legacy infrastructure with limited automation functionality. It is important for organizations to take steps early on to ensure the smooth implementation of the new lifespan requirements. Managed PKI vendors and certificate lifecycle platforms have an opportunity to help organizations with this struggle and ease the transition into shorter certificate lifespans.
Strategic Takeaways for Enterprises
It is vital for CISOs and IT leaders to act now to prepare for the time when they will be required to shorten certificate lifespans. Waiting for the new requirement to be implemented will leave an organization unprepared for the change and scrambling to catch up. It is important to inventory certificates and evaluate renewal workflows to understand what types of changes will be necessary to effectively deal with shorter certificate lifespans. Organizations can benefit from investing in automation and preparing for more agile key management in advance rather than waiting for the changes to go into effect.
A New Rhythm for Digital Trust
While organizations may see the changing maximum certificate lifespan as an operational burden, the 47-day standard is actually a call to modernize certificate renewal systems. SSL/TLS lifecycles may be shrinking, but resilience is growing as organizations move to update their methods and prioritize automating certificate renewal. The future of secure web communication is short-lived, relying on decreasing certificate lifespans as a necessity for defending against emerging and evolving threats.
