New Regulations Set TLS Server Certificate Lifespan to 47 Days

The lifespan of digital certificates used for secure connections to web and other servers is set to significantly decrease. By 2029, the validity period will be reduced from the current maximum of 398 days to just 47 days. This decision was reached by a vote from the CA/Browser Forum, following a proposal put forward by Apple.

Browser manufacturers have expressed concerns regarding the existing lifespan of server certificates due to challenges in removing fraudulent or improperly issued certificates. Current methods for revocation, such as OCSP and CRLs, have not been scaling effectively. In late 2024, Apple proposed this change, garnering support from other members of the CA/Browser Forum, following a previous unsuccessful attempt by Google in 2023.

The CA/Browser Forum comprises both browser developers and Certificate Authorities (CAs), working together to ensure the proper issuance and management of certificates. Primarily focused on Web Public Key Infrastructure (PKI), which is vital for HTTPS, the forum also oversees other PKI applications. It establishes standards for which certificate issuers are accepted by browsers, with poor practices resulting in the removal of non-compliant CAs.

In addition to shortening the lifespan of certificates, the forum is also revising the verification processes for certificate issuance and renewal. Previously, necessary identifications, such as automated ACME challenges or corporate documents, could be reused for over a year. This will now be limited to just ten days, requiring applicants to resubmit all relevant documents for each new certificate.

Fortunately for web server administrators, the implementation of this shortened lifespan will not occur immediately. Instead, there will be a gradual transition period with several intermediary steps:

• From March 15, 2026, the maximum certificate duration will be reduced to 200 days.
• On March 15, 2027, this will be halved again to 100 days.
• Finally, starting on March 15, 2029, all server certificates will need to be renewed every 47 days.

The voting outcome within the CA/Browser Forum was overwhelmingly in favor of the change, with 29 votes for and none against, while five CAs abstained.

Let's Encrypt, the largest CA by the number of certificates issued, has its own plans regarding certificate validity. It will introduce an option for clients to request certificates with a validity of just six days and has not offered certificates longer than 90 days since its inception. As of April 2025, Let's Encrypt had over 500 million valid certificates issued, significantly outnumbering the next largest CA, Sectigo.