Another shortening of the validity of TLS certificates is coming

Jan 22, 2025 | Jindřich Zechmeister

The validity of SSL/TLS certificates has been shortened several times over the past decade. Now, there’s talk of reducing it to just 45 days, which could mean replacing your TLS certificate up to 9 times a year! But with us, there’s no need to worry. What does this mean for you, and how can you handle this situation? Find out in this article.

History of Certificate Shortening

In the early days of SSL certificates, there was a lack of a clear regulatory body for the entire industry, which today is the CA/Browser Forum consortium. This consortium was established in 2005, and two years later, their first result was the rules for EV certificates, which were thus created.

Not long after, the maximum validity period of SSL certificates began to be discussed, as one pair of keys could be used for many years without change, which did not contribute to user security. In 2015, the maximum validity was reduced to 3 years (39 months); up until then, certificates were issued for 4-5 years. Another reduction came in March 2018, when the validity period was limited to 27 months (825 days).

From September 2020, another reduction took place. Companies like Apple, Google, and Mozilla pushed for browsers to consider certificates older than 398 days invalid, effectively setting the maximum validity at 1 year and a few extra days. This situation persists, but experts expected that further shortening would occur in the future.

Now once again, Apple and Google are leading the next wave of shortening, and their proposals are being discussed in the CA/Browser Forum plenary. So far, nothing has been decisively decided, but Apple's proposal is even bolder than Google's, which wanted a reduction to 90 days. The current certificate validity is limited to 398 days.

Apple proposes shortening certificates to 47 days and aims to achieve this gradually. New certificates should have a maximum validity shortened in three stages:

• 200 days effective from March 2026
• 100 days from March 2027
• 47 days from March 2028

It is expected that this form will eventually be implemented. In the past, Apple has already managed to prevail even when its proposal was not accepted; everyone had to adapt anyway because its browser holds a significant market share.

How to Prepare for the Shortening

Automate the certificate lifecycle in advance - that's the only advice we can give you. Implementing certificate automation may not be demanding, and there is still enough time. We can offer you several ways of automating certificates, all of which are tried and tested in practice and functional.

We recommend the following ways to automate:

• ACME protocol - a standard protocol for obtaining certificates, works through so-called ACME clients, of which there are many available on the market. The client usually can not only obtain the certificate but also deploy it on the server.
• DigiCert Automation Manager - agent/sensor-based automation using the CertCentral interface. You have an overview of the certificates on your servers and can also control them in the interface. Agents then manage them for you on the servers.
• Trust Lifecycle Manager within DigiCert ONE is a comprehensive tool and can connect to popular third-party tools and services. This facilitates integration, particularly for large companies.
• KeyTalk CKMS server or service. It can secure and deploy certificates on endpoint devices within your company. It can be used for automating TLS as well as S/MIME certificates.
• Your own integration with our API or API of CA DigiCert.

The first four examples can manage the entire certificate lifecycle, i.e., from obtaining the certificate, issuing it, to deployment (on a compatible server). Everything is covered, so you don't have to worry about anything. If you were to create your automation and implement our API, you would obtain the certificate, but server deployment is still up to you.

Do not hesitate to contact us as soon as possible and get advice on how to automate your TLS certificates today without additional costs.

Why is the Shortening Happening?

Apple and Google believe that shortening certificates will generally help improve security on the internet. Below you will find several main arguments for the shortening; the most frequently touted benefit is increased security for users due to more frequent key rotations.

Advantages of Shorter Certificates

Certificates with shorter validity contribute to improved security because they can bring new technologies faster if necessary. An example scenario might be the transition to post-quantum cryptography (PQC) after breaking RSA by a quantum computer (which will certainly happen in the future). Shorter certificate validity ensures that new algorithms reach the servers more quickly.

Another reason might be to minimize damage in case of key compromise. If a private key is leaked, a shorter validity period limits the time window in which the compromised certificate can be exploited (the victim often does not even know about the compromise).

The development of certificate lifecycle automation is also crucial, as it is being rapidly accelerated by this significant pressure. Certificate administrators are forced to use certificate automation, which ultimately benefits them.

Disadvantages

The main disadvantages include increased management workload. Automation usually solves this, but there will always be cases where it is neither easy nor possible. For systems that currently do not support automation, it will be necessary to wait for the manufacturer to add support; until then, administrators will manage certificates manually, resulting in more work. Organizations that do not have automation of certificate management implemented may be paralyzed by more frequent renewals.

A problem will surely arise with IoT devices that were not designed considering a shorter certificate lifecycle. If not updated, these devices and the certificates used will likely collide with modern browsers.

Do Not Hesitate to Consult Automation with Us

The upcoming certificate shortening is a significant change, but with us, it doesn't have to be a problem. Contact us and start automating certificates; the sooner you do so, the better for you!

---