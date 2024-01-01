Landmark decision to reduce digital certificate lifespans aims to strengthen online security, promote automation in certificate management, and prepare for quantum challenges

Sectigo, a global leader in digital certificates and automated Certificate Lifecycle Management (CLM), today announced that the CA/Browser (CA/B) Forum ballot it endorsed to reduce the maximum validity term of SSL/TLS certificates to 47 days by 2029 has passed without opposition. This groundbreaking move to shorten digital certificate lifespans seeks to enhance online security, drive automation in certificate management, and ready systems for quantum computing challenges by improving crypto agility.





The newly approved measure, initially proposed by Apple and endorsed by Sectigo in January 2025, will gradually reduce certificate lifespans from the current 398 days to 47 days through a phased approach:

March 15, 2026: Maximum TLS certificate lifespan shrinks to 200 days. This accommodates a six-month renewal cadence. The Domain Control Validation (DCV) reuse period reduces to 200 days.

March 15, 2027: Maximum TLS certificate lifespan shrinks to 100 days. This accommodates a three-month renewal cadence. The DCV reuse period reduces to 100 days.

: Maximum TLS certificate lifespan shrinks to 100 days. This accommodates a three-month renewal cadence. The DCV reuse period reduces to 100 days. March 15, 2029: Maximum TLS certificate lifespan shrinks to 47 days. This accommodates a one-month renewal cadence. The DCV reuse period reduces to 10 days.

“At Sectigo we have long advocated for shorter certificate lifecycles as a crucial step in bolstering internet security, which is why we endorsed this ballot from its inception,” said Kevin Weiss, chief executive officer at Sectigo. “This collaborative initiative passed by the CA/Browser Forum not only showcases the industry’s unified commitment to enhance digital trust for all but also empowers customers to be at the leading edge of preparing for a quantum future.”

This change aims to strengthen the internet’s ecosystem in several key ways, with major drivers including:

Enhanced security: Shorter certificate renewals protect private keys from being compromised by limiting the time they are exposed to potential threats, ultimately reducing the risk of man-in-the-middle attacks and data breaches.

Encouraging automation: Reducing certificate lifespans encourages automation and the adoption of practices that drive the ecosystem away from baroque, time-consuming, and error-prone issuance processes. The result enables faster adoption of emerging security capabilities, changes in cryptographic algorithms, and general best practices.

Reducing certificate lifespans encourages automation and the adoption of practices that drive the ecosystem away from baroque, time-consuming, and error-prone issuance processes. The result enables faster adoption of emerging security capabilities, changes in cryptographic algorithms, and general best practices. Preparing for quantum challenges: In an era of promoting quantum preparedness, shorter certificate lifespans foster crypto agility by accelerating the adoption of stronger algorithms and ensure compliance with evolving security standards.

“The industry’s unified support for reducing certificate lifespans to 47 days reflects a shared commitment to enhancing digital security and trust for all,” said Tim Callan, chief compliance officer at Sectigo and vice-chair of the CA/Browser Forum. “This pivotal and positive advancement for our industry underscores the importance of agility and proactive risk management in today’s threat landscape while preparing for the risks of the quantum era.”

As a leader in digital trust solutions, Sectigo remains committed to supporting its customers and partners through this industry-wide shift, ensuring they are well-equipped to navigate the future of digital security. Sectigo is fully prepared to support its customers through this change with its advanced CLM solutions, including Sectigo Certificate Manager (SCM), a cloud-native platform that automates the entire SSL/TLS certificate lifecycle. Sectigo channel partners are supported with Sectigo Certificate as a Service (CaaS), which enables partners to future-proof their customers’ certificate needs by administering – under a single API – automated CLM and domain validation procedures.

“While there is still a waiting period before the ballot results become official, its eventual enforcement may present operational challenges for enterprises. We believe it’s important for organizations to view this industry shift not as an abrupt or radical change, but rather an incremental step towards future proofing their business,” Callan added. “Sectigo’s automated solutions are designed to make this transition as smooth as possible for customers and partners, allowing businesses to focus on their core operations while maintaining robust digital security.”

The CA/Browser Forum brings together a voluntary group of certificate authorities, like Sectigo, notable browser vendors and major technology companies to establish guidelines for public TLS, Code Signing, and S/MIME certificates. The Forum regularly updates guidelines and requirements to help the WebPKI stay ahead of emerging threats, incorporate new technology, and improve the accuracy and reliability of processes. Sectigo currently holds five active chair positions – the most of any CA/Browser Forum member.

For more information on how to prepare for 47-day certificate lifecycles, please visit https://www.sectigo.com/47-day-ssl.

