47 days: CAs, browser manufacturers decide on shorter duration for certificates
The current maximum validity of thirteen months will be reduced to one and a half months. However, with a transitional period of several years for admins.
Visualizing the Web-PKI and the CA/Browser-Forum in a pleasing way is quite difficult even for the AI.
(Image: Erstellt mit Grok fĂĽr heise security / Bearbeitung: cku)
The maximum duration of digital certificates for encrypted connections to web and other servers will be drastically reduced in future. In 2029, these will only have a validity period of 47 days instead of 398 days. This was decided by the CA/Browser Forum in a vote, following a proposal from Apple.
Browser manufacturers in particular have long had problems with the usual expiry periods for server certificates. For example, the lack of options for deleting fraudulent or incorrectly issued certificates is a thorn in their side, and the existing methods (OCSP and CRLs) scale poorly. This is why Apple ventured forward with its proposal at the end of 2024 and secured the support of other members of the CA/Browser Forum. An attempt by Google in 2023 had still failed.
At the CA/Browser Forum (CA/B), the name says it all: browser manufacturers and certificate authorities (CAs) monitor the proper issuing and processing of certificates in the association. The CA/B mainly deals with web PKI (i.e. the certificates that provide the"s" in"https"), but also has working groups for S/MIME and other PKI applications that are more remote from browsers. The CA/B determines which certificate issuers are accepted by browsers – CAs that stand out due to sloppy verification or insecure issuing practices are kicked out.
The CA/B is also tweaking the verification process before issuing or renewing certificates. Whereas it was previously possible to recycle the necessary identifications, such as automated ACME challenges or company documents, for more than a year for reissues or renewals, this period is gradually being reduced to just ten days. In practice, this means that applicants will have to present all relevant documents to the CA again for each new certificate. Good news for those who have fully automated this process by 2029.
Videos by heise
Just under four years transition period
Web server admins can breathe a sigh of relief for the time being. The shortened validity period will not come into effect immediately, but over a period of years with several intermediate steps:
- From March 15, 2026, the term will be reduced to a maximum of 200 days,
- halved to 100 days after March 15, 2027 and
- only two years later, from March 15, 2029, will server certificates have to be renewed after 47 days.
The vote of the CA/B members was clear: Twenty-nine votes in favor and none against, with five CAs abstaining.
However, Let's Encrypt, by far the largest CA in terms of certificate volume, has its own timetable. It is introducing the option for its customers to order certificates that are only valid for six days and has not offered any terms longer than 90 days since it was founded. More than 500 million valid certificates were registered via Let's Encrypt in April 2025, ten times as many as the second-placed Sectigo.
(cku)
