GlobalSign Blog

From 90 Days to 47: The Evolution of Certificate Lifespans and the Role of Automation

From 90 Days to 47: The Evolution of Certificate Lifespans and the Role of Automation

Update 18th November 2024: Following further discussion in the CA/Browser Forum and feedback from the community, Apple's proposal to shorten TLS certificate validity periods has been altered. Firstly, the final maximum validity has seen a small increase from 45 to 47 days, a small increase but one that suggests there will likely be further discussion before a firm timeline is set. The suggested dates for implementing the reductions has been changed as well, effectively pushing back when the validity reduction will come into effect.

The new dates are:

  • 200 days as of March 15 2026,
  • 100 days as of March 15 2027, 
  • 47 days as of March 15 2028.

In recent years, SSL / TLS certificate validity periods have been dramatically shortened, and the latest move by Apple marks a significant shift in how certificates will soon be managed. This trend began with Google’s initial push to reduce certificate lifespans to 90 days, aiming to tighten security and reduce the risks of compromised certificates. However, last week, Apple made headlines in the digital security world by introducing a draft ballot to shorten the maximum validity period for public SSL / TLS certificates to just 47 days by 2027. This move, unveiled during the CA/Browser Forum meetings, aligns with broader industry efforts led by major browsers, including Google, to enhance web security by reducing certificate lifespans.

The Push for 47-Day Certificates

Currently, the standard for public certificates is a maximum of 398 days. However, Apple’s proposal lays out a roadmap for gradually reducing this timeframe, with significant milestones in 2025, 2026, and finally reaching a 47 day maximum by April 2027. Notably, the proposal also includes a reduction in the Domain Control Validation (DCV) reuse period, which will shrink to just 10 days by September 2027.

Certificate Lifespan Table

Reducing certificate lifespan to 47 days is rooted as potential best practice according to Apple. By shortening the time, a certificate is valid, the risk window for potential compromise could narrow significantly. As the industry moves toward these tighter lifecycles, it forces organizations to stay vigilant about their certificate management, reducing the likelihood of breaches caused by stale or mis issued certificates.

The Challenge for IT Teams

This trend also aligns with the increasing adoption of automation tools, which are essential for managing the more frequent certificate renewals that shorter validity periods demand. ACME (Automated Certificate Management Environment) has emerged as a crucial tool in this context, especially for small to medium-sized businesses (SMBs).

While the security benefits of shorter certificate validity periods are clear, they also present significant operational challenges. Organizations relying on manual methods for tracking and renewing certificates may find it overwhelming to keep up with more frequent renewals. For busy IT teams, juggling certificates with varying expiration dates could lead to an increased risk of expired certificates causing service disruptions.

Through ACME, organizations can automate the issuance, installation, and renewal of certificates, ensuring that even with the shortened 47-day cycle, certificates are updated without manual intervention. This is particularly beneficial for smaller businesses that often lack the resources or time to manage certificates manually, yet still need to comply with the latest security standards and avoid outages due to expired certificates.

While the move to 47-day certificates by 2027 may appear challenging, especially for smaller organizations, automation tools like ACME make it achievable. By adopting ACME and similar automated solutions such as Certificate Automation Manager for our Enterprise customers organizations that implement these solutions now will be well-prepared for the future of web security and can avoid the pitfalls of manual certificate management.

Want to know more?  Get in touch to find the best solution that suits your needs.

Organizations that implement these solutions now will be well-prepared for the future of web security and can avoid the pitfalls of manual certificate management.


Editor’s Note: This blog was originally published on October 16th 2024 but has since been updated to reflect industry changes and new insights.

Share this Post

Related Blogs