TLS Certificate Lifetimes Will Officially Reduce to 47 Days

The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates and the reusability of CA-validated information in certificates. The first user impacts of the ballot take place in March 2026.

The ballot was long debated in the CA/Browser Forum and went through several versions, incorporating feedback from certificate authorities and their customers. The voting period ended on April 11, 2025, closing one hotly contested chapter and allowing the certificate world to plan for what comes next.

The new TLS certificate lifetime schedule

The new ballot targets certificate validity of 47 days, making automation essential. Prior to this proposal by Apple, Google promoted a 90-day maximum lifetime, but they voted in favor of Apple’s proposal almost immediately after the voting period began.

Here’s the schedule:

• The maximum certificate lifetime is going down:

  • From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.
  • As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.
  • As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.
  • As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.

   

• The maximum period during which domain and IP address validation information may be reused is going down:

  • From today until March 15, 2026, the maximum period during which domain validation information may be reused is 398 days.
  • As of March 15, 2026, the maximum period during which domain validation information may be reused is 200 days.
  • As of March 15, 2027, the maximum period during which domain validation information may be reused is 100 days.
  • As of March 15, 2029, the maximum period during which domain validation information may be reused is 10 days.

• As of March 15, 2026, validations of Subject Identity Information (SII) can only be reused for 398 days, down from 825. SII is the company name and other information found in an OV (Organization Validated) or EV (Extended Validation) certificate, i.e., everything but the domain name or IP address protected by the certificate. This does not affect DV (Domain Validated) certificates, which have no SII.

   

Why 47 Days?

47 days might seem like an arbitrary number, but it’s a simple cascade:

• 200 days = 6 maximal month (184 days) + 1/2 30-day month (15 days) + 1 day wiggle room
• 100 days = 3 maximal month (92 days) + ~1/4 30-day month (7 days) + 1 day wiggle room
• 47 days = 1 maximal month (31 days) + 1/2 30-day month (15 days) + 1 day wiggle room

Apple’s justification for the change

In the ballot, Apple makes many arguments in favor of the moves, one of which is most worth calling out. They state that the CA/B Forum has been telling the world for years, by steadily shortening maximum lifetimes, that automation is essentially mandatory for effective certificate lifecycle management.

The ballot argues that shorter lifetimes are necessary for many reasons, the most prominent being this: The information in certificates is becoming steadily less trustworthy over time, a problem that can only be mitigated by frequently revalidating the information.

The ballot also argues that the revocation system using CRLs and OCSP is unreliable. Indeed, browsers often ignore these features. The ballot has a long section on the failings of the certificate revocation system. Shorter lifetimes mitigate the effects of using potentially revoked certificates. In 2023, CA/B Forum took this philosophy to another level by approving short-lived certificates, which expire within 7 days, and which do not require CRL or OCSP support.

Clearing up confusion about the new rules

Two points about the new rules are likely to cause confusion:

1. The three years for the rule changes are 2026, 2027, and 2029, but the gap between the second set of years is two years long.
2. As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days, but the maximum period during which domain validation information may be reused is only 10 days. Manual revalidation will still technically be possible, but doing so would be a recipe for failure and outages.

As a certificate authority, one of the most common questions we hear from customers is whether they’ll be charged more to replace certificates more frequently. The answer is no. Cost is based on an annual subscription, and what we’ve learned is that, once users adopt automation, they often voluntarily move to more rapid certificate replacement cycles.

For this reason, and because even the 2027 changes to 100-day certificates will make manual procedures untenable, we expect rapid adoption of automation long before the 2029 changes.

Apple’s statement about automated certificate lifecycle management is indisputable, but it’s something we’ve been long preparing for. DigiCert offers multiple automation solutions through Trust Lifecycle Manager and CertCentral, including support for ACME. DigiCert’s ACME allows automation of DV, OV, and EV certificates and includes support for ACME Renewal Information (ARI).

Get in touch for more information on how you can make the best use of automation.

The latest developments in digital trust

Want to learn more about topics like certificate management, automation, and TLS/SSL? Subscribe to the DigiCert blog to ensure you never miss a story.