In August 2024, Apple proposed changes to the Baseline Requirements for TLS Server Certificates of the Server Certificate Working Group of the CA/Browser Forum. The proposal outlines a schedule for radically shortening both the lifetime of TLS certificates and the permissible reuse period for validations of the information contained within them.

Proposals like these are known as “ballots,” and this one has prompted a lot of discussion since it was introduced. The ballot may evolve as debate continues, but here’s what we know so far.

What the proposal entails

The changes proposed by Apple would be phased in gradually over the coming years, reducing both certificate lifespans and validation reuse periods. Here’s how the changes break down.

TLS certificate lifetime reductions

The current maximum lifetime of a TLS certificate is 398 days.

• As of March 15, 2026: The lifetime SHOULD not exceed 199 days and MUST not exceed 200 days.
• As of March 15, 2027: The lifetime SHOULD not exceed 99 days and MUST not exceed 100 days.
• As of March 15, 2029: The lifetime SHOULD not exceed 46 days and MUST not exceed 47 days.

Validation reuse limits

Validation reuse refers to how long information used to issue certificates, including organizational identity and domain ownership, can be considered valid.

• Subject identity information (OV and EV certificates)
  
  
  • Currently: Validation reuse is allowed for up to 825 days.
  • As of March 15, 2026: The maximum reuse period drops to 398 days.

This affects Organization Validated (OV) and Extended Validation (EV) certificates, where organizational details must be revalidated more frequently.

• Domain name and IP address validation
  
  
  • Currently: Reuse is permitted for up to 398 days.
  • As of March 15, 2026: Reuse MUST not exceed 200 days.
  • As of March 15, 2027: Reuse MUST not exceed 100 days.
  • As of March 15, 2029: Reuse MUST not exceed 10 days.

What this means for certificate owners

The message to certificate owners is clear: Start automating your certificate lifecycle management now. As these new timeframes come into effect, manual processes will be unsustainable—and they’re almost certain to lead to outages.

To stay ahead, your organization should prioritize automating:

• Certificate requests
• Validation of Subject Alternative names (typically domain names)
• Installation of certificates to ensure availability to dependent systems

The DigiCert ONE platform offers all these capabilities out of the box and supports the ACME protocol to streamline automation, even in complex environments

DigiCert^® Trust Lifecycle Manager offers real-time insights into certificate usage, expiration timelines, and CA distribution, helping you manage digital trust at scale.

The time to prepare is now

One of the most dramatic changes included in the Apple ballot is the drop in maximum reuse of DNS and IP validations. While the proposed certificate lifetime will drop to 47 days by 2029, the reuse of the DNS/IP validations will be capped at just ten days—a much tighter window.

2029 might sound far away, but these changes require major shifts in how organizations manage certificates. Now’s the time to begin automating all aspects of certificate lifecycle management so your organization can be prepared.

If this ballot passes, these shortened timelines will become mandatory for DigiCert and all other public certificate authorities (CAs). But we’re here to help—reach out now to get started with a solution tailored to your needs.

The latest developments in digital trust

Want to learn more about topics like automation, compliance, and certificate management? Subscribe to the DigiCert blog to ensure you never miss a story.