Update 14th April 2025: It has been confirmed that Apple's 47-day proposal has been formally accepted by the CA/B Forum following a majority vote by the relevant Certificate Authorities and Certificate Issuers. All 4 major browser vendors (Google, Apple, Mozilla and Microsoft) also voted in favor. This consensus means that the changes will be adopted, with slight changes to the timeline.
The new final dates for implementation are as follows:
In recent years, SSL / TLS certificate validity periods have been dramatically shortened, and the latest move by Apple marks a significant shift in how certificates will soon be managed. This trend began with Google’s initial push to reduce certificate lifespans to 90 days, aiming to tighten security and reduce the risks of compromised certificates. However, last week, Apple made headlines in the digital security world by introducing a draft ballot to shorten the maximum validity period for public SSL / TLS certificates to just 47 days by 2027. This move, unveiled during the CA/Browser Forum meetings, aligns with broader industry efforts led by major browsers, including Google, to enhance web security by reducing certificate lifespans.
Discover more about evolving certificate requirements in our podcast: Trust.ID Talks
The Push for 47-Day Certificates
Currently, the standard for public certificates is a maximum of 398 days. However, Apple’s proposal lays out a roadmap for gradually reducing this timeframe, with significant milestones in 2025, 2026, and finally reaching a 47 day maximum by April 2027. Notably, the proposal also includes a reduction in the Domain Control Validation (DCV) reuse period, which will shrink to just 10 days by September 2027.
Reducing certificate lifespan to 47 days is rooted as potential best practice according to Apple. By shortening the time, a certificate is valid, the risk window for potential compromise could narrow significantly. As the industry moves toward these tighter lifecycles, it forces organizations to stay vigilant about their certificate management, reducing the likelihood of breaches caused by stale or mis issued certificates.
The Challenge for IT Teams
This trend also aligns with the increasing adoption of automation tools, which are essential for managing the more frequent certificate renewals that shorter validity periods demand. ACME (Automated Certificate Management Environment) has emerged as a crucial tool in this context, especially for small to medium-sized businesses (SMBs).
While the security benefits of shorter certificate validity periods are clear, they also present significant operational challenges. Organizations relying on manual methods for tracking and renewing certificates may find it overwhelming to keep up with more frequent renewals. For busy IT teams, juggling certificates with varying expiration dates could lead to an increased risk of expired certificates causing service disruptions.
Through ACME, organizations can automate the issuance, installation, and renewal of certificates, ensuring that even with the shortened 47-day cycle, certificates are updated without manual intervention. This is particularly beneficial for smaller businesses that often lack the resources or time to manage certificates manually, yet still need to comply with the latest security standards and avoid outages due to expired certificates.
While the move to 47-day certificates by 2027 may appear challenging, especially for smaller organizations, automation tools like ACME make it achievable. By adopting ACME and similar automated solutions such as Certificate Automation Manager for our Enterprise customers organizations that implement these solutions now will be well-prepared for the future of web security and can avoid the pitfalls of manual certificate management.
Want to know more? Get in touch to find the best solution that suits your needs.
Organizations that implement these solutions now will be well-prepared for the future of web security and can avoid the pitfalls of manual certificate management.
Editor’s Note: This blog was originally published on October 16th 2024 but has since been updated to reflect industry changes and new insights.
