Earlier this month, the Certification Authority(CA)/Browser Forum voted to significantly shorten the lifetime of TLS certificates: from 398 days currently to 47 days by March 15, 2029.
The CA/Browser Forum is a collective of certificate issuers, browsers, and other applications that use certificates, and they’ve long been discussing the potential for shorter certificate lifetimes.
As a result of this vote to change the TLS certificate lifetime, the lifetimes will gradually shorten over the next 5 years. Starting March 15, 2026, the maximum lifetime will be 200 days, and then a year after that it will drop down to 100 days. Two years following that deadline, certificate lifetimes will hit the new limit of 47 days on March 15, 2029.
Additionally, starting March 15, 2029, the maximum period that domain validation information can be reused will be 10 days. Otherwise, it will follow the same schedule as the certificate lifetimes (398 days currently, 200 days after March 15, 2026, and 100 days after March 15, 2027).
Dean Coclin, senior director of Industry Strategy at DigiCert, joined us on our podcast this week to discuss the vote and the changes, and he said that one of the main drivers behind this change is to make the internet safer. Currently, there are two types of certificate revocation processes that are used.
One is the certificate revocation list (CRL), which is a static list of revoked certificates that needs to be frequently checked manually.
The other is the Online Certificate Status Protocol (OCSP), where the browser checks back with the CA’s certificate status list to see if the certificate is good.
“Each of those technologies has some drawbacks,” Coclin said. “For example, CRL can become very, very large and can slow down your web browsing. And the second one, OCSP, has some sort of privacy implications because every time your browser makes a request to the certificate authority to check the status of a certificate, some information is leaked, like where that IP address is coming from that’s checking that website, and what is the website that’s being checked.”
Because neither solution is ideal, there became interest in shortening the validity period of certificates to reduce the amount of time a bad certificate could be in use.
Google had initially proposed a 90 day certificate lifetime, and then last year Apple proposed going even shorter to 47 days, which is ultimately the decision that was passed.
According to Coclin, automation will be key to keeping up with shorter lifetimes, and part of the reason this change is so gradual is to give people time to put those systems in place and adjust.
“The days of being able to keep an eye on certificate expirations with a calendar reminder or a spreadsheet are really going to be over. Now you’re going to have to automate the renewal of these certificates, otherwise, you’re going to face an outage, which can be devastating,” he said.
There are several technologies out there already that help with this automation, such as the ACME protocol, which automates the verification and issuance of certificates. It was created by the Internet Security Research Group and published as an open standard by the Internet Engineering Task Force (IETF).
Certificate issuers also offer their own tools that can help automate the process, such as DigiCert’s Trust Lifecycle Manager.
Coclin believes that once automation is in place, it’s possible that in the future, the certificate lifetimes may decrease further, potentially even to 10 days or less.
“That’s only going to be possible when the community at large adopts automation,” he said. “So I think this ballot, the purpose of this was to encourage users to start getting automation under their belts, making sure that websites do not have outages, because automation will avoid that, and getting ready for a possible even shorter validity time frame to make the likelihood of a revoked certificate being active less likely.”