Apple’s Proposal to Shorten SSL/TLS Certificate Lifespans to 45-Days by 2027

In a recent industry shift, Apple finally dropped draft proposal details for shortening the maximum public SSL/TLS certificates to 45 days by 2027.

The announcement, made on October 9, 2024, as part of the CA/Browser Forum’s Face-to-Face meeting, received a positive boost from Sectigo, a significant player in the digital security landscape.

This industry support further solidifies the credibility and potential benefits of the proposal. The proposal explores the phased decrease in certificate lifespan over the next few years to couple with the industry’s trend toward improving web security.

A Move Toward Shorter Certificate Lifespans

This proposal by Apple is not an isolated initiative since it forms part of a similar strand by other powerful browsers such as Google. Just last year, Google outlined its vision of reducing the lifespan of its SSL/TLS certificates to 90 days.

Apple is taking it further by proposing the gradual reduction of certificate terms to end with a maximum validity of 45 days by April 2027.

• By September 2025: The maximum certificate term will drop to 200 days.
• By September 2026: The lifespan will be reduced further to 100 days.
• By April 2027: Public certificates will be valid for just 45 days, with a final reduction in Domain Control Validation (DCV) reuse periods to 10 days by September 2027.

Why the Push for 45-Day Certificates?

The fundamental rationale underlying these significant reductions in certificate lifetimes is fundamentally motivated by enhancing security in general.

Since certificates contain shorter lifetimes, there inherently exists lesser risk when those certificates are compromised.

While Apple and Sectigo are strategically accelerating the narrowing of time frames for when a certificate remains valid and operational, the exposure to possible vulnerabilities that could emerge through outdated certificates or certificates misused is significantly reduced.

At the same time, their implementation indeed poses several operational challenges to organizations and systems.

While posing operational challenges, these changes are proactive and preventative measures. They aim to significantly raise the security factor of web traffic across the vast stretch of the internet, providing a sense of security about the future of web security.

The Impact on IT Teams and Businesses

This will cause a paradigm shift for business and IT teams in managing and handling these certificates.

Managing the certificates manually through tracking and renewal becomes infeasible for most organizations because of the requirement of periodic renewal every 45 days.

Organizations with multiple certificates with unique and random expiration dates will face more complexities in handling them.

Automation will be critical for the management of the new reality. Involving tools like ACME (Automated Certificate Management Environment), organizations can feel prepared and in control of the management of their certificates.

Manager certificate lifecycle management can be made seamless and avoid risks of downtime due to expired certificates.

Companies that take their SSL/TLS management forward in automation right now will see themselves well-prepared for this shift and avoid the headache of renewal processes that are often manual.

Automate Certificate Lifecycle Management with Certera

Certera is entirely in sync with these seismic shifts and is deeply committed, with all its resources, to supporting the smooth navigation of enterprises through them without any hitch.

Our Certificate Automation Manager delivers a comprehensive, richly textured solution to efficiently manage complicated certificate lifecycles easily and help your organization stay safe and compliant at all times as certificates continue to get shorter-lived.

To stay ahead of these upcoming changes and prepare your organization for the future of SSL/TLS management, contact our experts today.