The CA/Browser Forum has officially voted to update the TLS Baseline Requirements, setting a timeline for reducing both the validity period of TLS certificates and the reuse period for CA-validated information. The first changes impacting users will take effect in March 2026.
Background of the Ballot
This decision follows extensive debate within the CA/Browser Forum, with multiple revisions based on feedback from certificate authorities and their customers. Voting concluded on April 11, 2025, marking the end of a contentious process and allowing the industry to prepare for upcoming changes.
New TLS Certificate Validity Timeline
The new schedule will significantly shorten certificate lifetimes, making automation an essential part of certificate management. Apple introduced the proposal, and although Google had previously advocated for a 90-day maximum, they quickly supported Apple’s plan once voting began.
Key Dates and Changes:
- Until March 15, 2026: Maximum TLS certificate lifetime is 398 days.
- From March 15, 2026: Maximum lifetime drops to 200 days.
- From March 15, 2027: Maximum lifetime further reduces to 100 days.
- From March 15, 2029: Maximum lifetime will be just 47 days.
Changes to Validation Information Reuse
The period for reusing domain and IP address validation information is also being shortened:
- Until March 15, 2026: Maximum reuse period is 398 days.
- From March 15, 2026: Drops to 200 days.
- From March 15, 2027: Reduces to 100 days.
- From March 15, 2029: Just 10 days.
For Subject Identity Information (SII)—details like company name in OV (Organization Validated) or EV (Extended Validation) certificates—the reuse period will be 398 days starting March 15, 2026, down from 825 days. This change does not affect DV (Domain Validated) certificates, which do not include SII.
Why 47 Days?
The 47-day figure may seem arbitrary, but it’s calculated to align with calendar cycles:
- 200 days: 6 maximal months (184 days) + half of a 30-day month (15 days) + 1 day
- 100 days: 3 maximal months (92 days) + about a quarter of a 30-day month (7 days) + 1 day
- 47 days: 1 maximal month (31 days) + half of a 30-day month (15 days) + 1 day
Apple’s Rationale for Shorter Lifetimes
Apple argues that the CA/B Forum has signaled the need for automation by consistently shortening certificate lifetimes. The main reason for this change is that certificate information becomes less trustworthy over time, requiring frequent revalidation. Additionally, current revocation systems (like CRLs and OCSP) are unreliable—browsers often ignore them. Shorter lifetimes help mitigate risks from potentially revoked certificates. In 2023, the Forum approved short-lived certificates (valid for up to 7 days) that don’t require CRL or OCSP.
Addressing Common Questions and Confusion
- Timeline Gaps: The rule changes occur in 2026, 2027, and 2029, with a two-year gap between the latter two updates.
- Validation Reuse: By 2029, certificates will last 47 days, but validation reuse drops to 10 days. Manual revalidation will be technically possible but highly impractical, risking outages.
- Cost Implications: Replacement frequency won’t increase costs—pricing remains based on annual subscriptions. Automation typically leads users to voluntarily adopt even shorter replacement cycles.
With the move to 100-day certificates in 2027, manual processes will become untenable, accelerating automation adoption well before 2029.
Preparing for Automated Certificate Management
Apple’s push for automation is clear, and IT Solution Singapore is ready to help. Our team offers robust automation solutions for certificate management, including support for ACME protocols and automated renewal processes for DV, OV, and EV certificates.
Contact us to learn how you can optimise automation for your organisation.
Stay Updated on Digital Trust
For more on certificate management, automation, and TLS/SSL best practices, subscribe to IT Solution Singapore’s blog and never miss an update.
