Major internet companies last week agreed to gradually reduce the lifetime of TLS certificates over the next few years, with the goal of getting their lifespan down to 47 days by 2029.
Web browser makers such as Mozilla, Apple and Google announced in 2020 that the maximum lifespan of SSL/TLS certificates would be reduced from 825 days to 398 days in an effort to improve the security of HTTPS connections.
Members of the CA/Browser Forum, a consortium of certificate authorities (CAs) and software developers whose goal is to develop and implement certificate guidelines, largely voted ‘yes’ last week to the introduction of a new schedule for further reducing certificate lifespans.
As such, the maximum 398-day validity period will remain in place until March 15, 2026, when it will be reduced to 200 days. The maximum lifetime of TLS certificates will be further reduced to 100 days starting with March 15, 2027, and down to 47 days starting with March 15, 2029.
Companies such as Google, Apple, Mozilla, Microsoft, Sectigo, GoDaddy, Amazon, DigiCert, SSL.com, and Entrust have agreed to this schedule. Some members of the CA/B Forum have abstained, but no one opposed the plan.
Shorter certificate lifespans improve the security of the internet, but they bring challenges for organizations that require a large number of certificates, particularly ones that are still using manual processes to renew certificates.
However, certificate issuers have been improving certificate management automation and they believe this gradual reduction of TLS certificate lifespans will further drive the adoption of automation.
Some certificate issuers also pointed out that customers should not be concerned about having to pay more if they need to replace certificates more often.
“Cost is based on an annual subscription, and what we’ve learned is that, once users adopt automation, they often voluntarily move to more rapid certificate replacement cycles,” DigiCert explained. “For this reason, and because even the 2027 changes to 100-day certificates will make manual procedures untenable, we expect rapid adoption of automation long before the 2029 changes.”
Related: New Issuance Requirements Improve HTTPS Certificate Validation
Related: Machine Identity Firm Venafi Readies for the 90-day Certificate Lifecycle
Related: DigiCert Revoking 83,000 Certificates of 6,800 Customers
