Adjustment of the validity period of SSL Certificates: Shorten it in stages starting from March 15, 2026 (200 days →100 days →47 days)

The CA/Browser Forum has officially voted to revise the TLS baseline requirements to develop plans to shorten the validity period of TLS certificates and reduce the reuse of CA authentication information. The first changes that will affect users will be implemented in March 2026.

The proposal has been discussed for a long time in the CA/Browser forum and has gone through multiple versions, absorbing the opinions of certification authorities and their customers. The voting period ends on April 11, 2025, marking the end of a controversial chapter and allowing the certification community to plan the next steps.

New TLS certificate validity schedule

The new ballot sets a certificate validity target of 47 days, making automation critical. Shortly after the voting period began and before Apple's proposal was made, Google supported a maximum of 45 days, but they supported Apple's proposal almost immediately as soon as the voting period began.

Here is the new timetable:

The maximum certificate validity period will be reduced:

From today until March 15, 2026, the maximum validity period of TLS certificates is 398 days.

Starting from March 15, 2026, the maximum validity period of TLS certificates will be 200 days.

Starting from March 15, 2027, the maximum validity period of TLS certificates will be 100 days.

Starting from March 15, 2029, the maximum validity period of TLS certificates will be 47 days.

The maximum period for which domain name and IP address verification information can be reused will decrease:

From today to March 15, 2026, the maximum period for which domain name verification information can be reused is 398 days.

Starting from March 15, 2026, domain name verification information can be reused for up to 200 days.

Starting from March 15, 2027, the maximum period for which domain name verification information can be reused is 100 days.

Starting from March 15, 2029, the maximum period for which domain name verification information can be reused is 10 days.

Starting from March 15, 2026, the verification results of subject identity information (SII) can only be reused for 398 days, a decrease from the previous 825 days. SII refers to the company name and other information found in an OV (Organization Authentication) or EV (Extended Authentication) certificate, that is, all information other than the domain name or IP address protected by the certificate. This does not affect DV (Domain Name Verification) certificates because DV certificates do not have SII.

Why 47 days?

47 days may seem like an arbitrary number, but it is actually a simple decreasing number:

200 days = 6 maximum months (184 days)+ half of a 30-day month (15 days)+ 1 day buffer

100 days = 3 maximum months (92 days)+ approximately a quarter of a 30-day month (7 days)+ 1 day buffer

47 days = 1 maximum month (31 days)+ half of a 30-day month (15 days)+ 1 day buffer

Why Apple changed

In the ballot, Apple put forward many reasons in support of the changes, one of which is particularly noteworthy. They pointed out that by shortening the maximum validity period year by year, the CA/B Forum has told the world that effective certificate life cycle management is almost an indispensable automated process.

Votes believe it is necessary to shorten the validity period of certificates, mainly because the information in certificates becomes increasingly unreliable over time, and this problem can only be alleviated by frequently verifying information.

The ballot also pointed out that revocation systems using CRLs and OCSP are unreliable. Indeed, browsers often ignore these features. There is a long section of the ballot discussing flaws in the certificate revocation system. A shorter life cycle can mitigate the impact of using certificates that may be revoked. In 2023, the CA/B Forum took this concept to another level by approving short life cycle certificates valid for 7 days that do not require CRL or OCSP support.