Vendors vote to radically slash website certificate duration

In a move that will likely force IT to much more aggressively use web certificate automation services, the Certification Authority Browser Forum (CA/Browser Forum), a gathering of certificate issuers and suppliers of applications that use certificates, voted Friday to radically slash the lifespan of the certificates that verify the ownership of sites. The approved changes, which passed overwhelmingly, will be phased in gradually through March 2029, when the certs will only last 47 days.

Website certificates, also known as SSL/TLS certificates, are issued by trusted certification authorities (CAs) and use public-key cryptography to authenticate websites to web browsers.

This controversial change has been debated extensively for more than a year. The group’s argument is that this will improve web security in various ways, but some have argued that the group’s members have a strong alternative incentive, as they will be the ones earning more money due to this acceleration.

“This is fully what we were expecting,” said Jon Nelson, a principal advisory director at Info-Tech Research Group. “[But] I do question the motives of the group. They are doing this under the auspices of reducing risk, but I question if that is the real reason. Do the people making up this group have a conflict of interest in that this move could generate additional revenue for their companies?”

Although the group voted overwhelmingly to approve the change, with zero “No” votes, not every member agreed with the decision; five members abstained.

Tim Callan, the chief compliance officer at Sectigo and vice chair of the CA/Browser Forum, said that one of the certificate authority (CA) members who abstained, who he declined to identify, wrote a note to the group. Callan said it read, “we have mixed feelings about this. We are in favor in principle. However, we are unconvinced that the most restrictive terms are necessary, to go all of the way down to 47 days.”

Callan said that he personally applauds the changes. “I am thrilled for a couple of reasons. Shortening certificate lifespans are a good trend. It is the right direction for things to go.”

The changes, which were primarily pushed by Apple, have two separate elements. First is the length of time after a user proves that they have valid control over their domain (Domain Control Validation (DCV)) that they are permitted to order or renew a certificate without re-validation. The second involves how long the actual Transport Layer Security (TLS) certificate is valid.

In roughly one year, on March 15, 2026, the “maximum TLS certificate lifespan shrinks to 200 days. This accommodates a six-month renewal cadence. The DCV reuse period reduces to 200 days,” according to the passed ballot. 

The next year, on March 15, 2027, the “maximum TLS certificate lifespan shrinks to 100 days. This accommodates a three-month renewal cadence. The DCV reuse period reduces to 100 days.”

And on March 15, 2029, “maximum TLS certificate lifespan shrinks to 47 days. This accommodates a one-month renewal cadence. The DCV reuse period reduces to 10 days.”

And given the technical nature of the member company representatives, they opted to define what they mean by a day.

But they didn’t define it as 24 hours. They took no chances: “For the purpose of calculations, a day is measured as 86,400 seconds. Any amount of time greater than this, including fractional seconds and/or leap seconds, shall represent an additional day. For this reason, Subscriber Certificates should not be issued for the maximum permissible time by default, in order to account for such adjustments.”

The passed document also included a preamble written by Apple, which tried to explain the rationale for the change.

In that letter, Apple said the gradual phasing in of the changes was intended to allow for discovery of unanticipated issues and to specifically allow for time to make adjustments. But its actual phrasing was pure Cupertino: “In order to shift more unknown unknowns towards known unknowns and known knowns over time, it is useful to ensure broad awareness prior to changes taking effect.”

The core argument from Apple was that today’s longer durations give far too much time for bad things to happen.

“Certificates are representations of a point in time state of reality. That is, at the point of certificate issuance, all data certified therein is correct and the process followed for that certification is accurately documented for that point in time,” Apple wrote. “The more time passes from that moment of issuance, the more likely it becomes that data represented in the certificate diverge from reality. Thus, a reduction to both certificate lifetimes and data reuse periods increases the average net reliability of certificates.”

But, Apple continued, CAs do not always do their job perfectly.

“At times, CAs do not issue certificates in accordance with the policies, requirements, or specifications that govern such issuance,” Apple said. “Requiring more frequent validation of information used in the issuance of certificates and lowering the maximum validity period of certificates reduces the risk of improper validation, the scope of improper validation perpetuation, and the opportunities for misissued certificates to negatively impact the ecosystem and its relying parties.”

Apple added that the shorter certificate lifespans also allow the industry to more effectively react to changes in cryptography.