The CA/Browser Forum, an association that serves as a platform for coordinating the joint work of browsers and certifying centers, recently made a significant decision regarding the maximum life of TLS certificates. Participants in the forum voted to reduce the maximum time of TLS certificates from 398 to 47 days. This change will be implemented if the forum does not revise its decision in the future. Additionally, it was decided to reduce the time for re-use of validation of objects, such as subject alternate name (SAN), which will go from 398 to 10 days, and non-SAN from 825 to 398 days.
The change in the maximum validity period of TLS certificates will be implemented gradually, with the first reduction set to take effect on March 15, 2026, bringing the maximum validity period down to 250 days. Subsequent reductions will occur on March 15, 2027 (100 days) and March 2029 (47 days). Certificates issued after each stage that do not meet the new criteria will result in browsers displaying an error message “Err_Cert_validity_to_long.” This decision follows a previous reduction in the certificate lifetime from 8 years to 398 days.
A total of 29 participants voted in favor of the new reduction in the lifetime of TLS certificates, with 6 abstaining and no one voting against. Major participants who voted for the change include Apple, Google, Microsoft, Mozilla, Amazon, and others. Those who abstained included Entrust, Identrust, Japan Registry Services, Secom Trust Systems, and Twca.
The move towards shorter-lived certificates is expected to enable more rapid implementation of new cryptographic algorithms in case of vulnerabilities and decrease security threats. Shorter-lived certificates can prevent attackers from controlling victim traffic for extended periods in cases of certificate leakage due to hacking. Additionally, more frequent validation and shorter certificate lifetimes will reduce the risk of improperly issued certificates remaining in operation beyond their relevance.