TLS certificates: Apple proposes a maximum term of 45 days
After Google failed with a similar request, Apple is trying again and presenting a concrete timetable. The response is mixed.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Apple wants to limit the duration of TLS certificates to fourty-five days from 2027. The company has proposed this to the CA/Browser Forum. The certificates are used to encrypt HTTPS connections between web servers and clients. Many critics fear that shortening the validity period would make renewal processes more difficult – Proponents, on the other hand, insist on demonstrable security gains.
Gradual shortening
TLS or SSL certificates, which are formally called X.509 certificates, are currently valid for a maximum of thirteen months (398 days), while the frequently used free certificates from "Let's Encrypt" are only valid for 90 days. Server administrators who rely on Let's Encrypt therefore often use automated tools based on the ACME protocol (Automatic Certificate Management Environment) for renewal. Such automated processes are less error-prone than manual processes.
In a voting proposal published on GitHub, the so-called Ballot SC-081, Apple sets out the timetable for shortening the runtime. Starting on September 15, 2025, the validity period is to be gradually reduced from the current 398 days to 45 days in the future.
| Date | Maximum duration in days |
| now | 398 |
| September 15, 2025 | 200 |
| September 15, 2026 | 100 |
| April 15, 2027 | 45 |
Google had already attempted to limit the validity period of all TLS certificates to 90 days last year, but this did not meet with universal approval. However, the Google team has now moved away from the idea that was clearly formulated at the time. The corresponding project page only contains the vague passage that Google is "investigating the impact of reducing the 397 days to 90 days or less". As recently as September of this year, it was said that the corresponding reduction was planned to be introduced in Chrome or at least proposed to the CA/Browser Forum.
Lively discussion
Apple's proposal is not only met with approval. In the lively discussion about the proposal on GitHub, the usual demarcation lines are forming between advocates of the shortening and staunch opponents, often server administrators. While the latter cite arguments such as poor maintainability, a lack of updates for IoT devices and the impact on regions without permanent internet access, the scientific community is backing the proponents. In a study, US scientists showed that shortening the certificate validity period to 90 days reduces the misuse of orphaned certificates by 75 percent.
Videos by heise
Opinion is also divided among the certification authorities, which see their business model at risk from automation and shortened validity periods. Sectigo, currently the second-largest CA after Let's Encrypt, expressly supports the proposal and warns that it is time to automate certificate management – Not entirely altruistic, mind you, as these automation solutions are an important pillar of Sectigo's business.
(cku)
