The CA/Browser Forum has officially voted in favor of modifying the TLS Base Requirements to establish a timeline that shortens the validity period of TLS certificates and the reuse of information validated by the CA in certificates. The first impacts of the vote on users will take place in March 2026.
The vote was extensively debated in the CA/Browser Forum and went through several versions, incorporating comments from certificate authorities and their customers. The voting period ended on April 11, 2025, closing a highly disputed chapter and allowing the certification sector to plan for the future.
The new TLS certificate lifetime schedule
The new vote establishes a validity of 47 days for certificates, which makes automation essential. Before this Apple's proposal , Google promoted a maximum validity of 90 days, but voted in favor of Apple's proposal almost immediately after the voting period began.
Here is the timeline:
Maximum certificate validity is decreasing:
From today until March 15, 2026, the maximum validity period of a TLS certificate is 398 days.
As of March 15, 2026, the maximum validity period of a TLS certificate will be 200 days.
As of March 15, 2027, the maximum validity period of a TLS certificate will be 100 days.
As of March 15, 2029, the maximum validity period of a TLS certificate will be 47 days.
The maximum period during which domain validation and IP address information can be reused is decreasing:
From today until March 15, 2026, the maximum period during which domain validation information can be reused is 398 days.
As of March 15, 2026, the maximum period during which domain validation information can be reused is 200 days.
As of March 15, 2027, the maximum period during which domain validation information can be reused is 100 days.
As of March 15, 2029, the maximum period during which domain validation information can be reused is 10 days.
Starting March 15, 2026, validations of Subject Identity Information (SII) can only be reused for 398 days, instead of 825. The SII is the company name and other information contained in a OV (Organization Validated) or EV (Extended Validation) certificate ; that is, everything except the domain name or IP address protected by the certificate. This does not affect DV (Domain Validated) certificates, which have no SII.
Why 47 days?
47 days may seem like an arbitrary number, but it's a simple cascade:
200 days = maximum 6 months (184 days) + 1/2 month of 30 days (15 days) + 1 day of buffer
100 days = maximum 3 months (92 days) + ~1/4 month of 30 days (7 days) + 1 day of buffer
47 days = maximum 1 month (31 days) + 1/2 month of 30 days (15 days) + 1 day of buffer
Apple's justification for the change
In the vote, Apple presented numerous arguments in favor of these measures, and one of them stands out most. They argue that the CA/B Forum has been recommending to the world for years, through the constant reduction of maximum validity periods, that automation is essential for effective certificate lifecycle management.
The vote argues that shorter validity periods are necessary for many reasons, with the most important being the following: the information contained in certificates becomes increasingly unreliable over time, a problem that can only be mitigated by frequently revalidating the information.
The vote also argues that the revocation system using CRL and OCSP is unreliable. In fact, browsers typically ignore these features. The vote includes an extensive section on the shortcomings of the certificate revocation system. A shorter validity period mitigates the effects of using potentially revoked certificates. In 2023, the CA/B Forum took this philosophy to another level by approving short-lived certificates, which expire in 7 days and require no CRL or OCSP support.
Clarifying confusion about the new rules
There are two points about the new rules that will likely cause confusion:
The three years for rule changes are 2026, 2027, and 2029, but the gap between the second set of years is two years.
As of March 15, 2029, the maximum validity period of a TLS certificate will be 47 days, but the maximum reuse period for domain validation information will be only 10 days . Manual revalidation will still be technically possible, but doing so would be a guarantee of failures and interruptions.
As a certification authority, one of the most frequent questions we receive from our customers is whether they will be charged more for replacing certificates more frequently. The answer is no. Pricing is based on an annual subscription, and we have found that once users adopt automation, they typically voluntarily opt for faster certificate replacement cycles.
For this reason, and because even the 2027 changes to 100-day certificates will make manual procedures unsustainable, we expect rapid automation adoption well before the 2029 changes.
Apple's statement about automated certificate lifecycle management is indisputable, but it is something we have been preparing for for a long time. DigiCert offers multiple automation solutions, including ACME support. DigiCert ACME enables automation of DV, OV, and EV certificates, and includes support for ACME Renewal Information (ARI).
You can get in contact us to learn more about how to maximize Discovery & Automation.
Source: DigiCert