TLS Certificate Lifetimes Will Officially Reduce to 47 Days
www.digicert.com
The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates.

From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.

As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.

As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.

As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.

What’s everyone’s opinion on this? I think from a security standpoint their reasoning is valid and in many cases it’s very easy to automate the renewal with ACME or something else. But there’s likely gonna be legacy stuff still around in 2029 that won’t be easy to automate.

  • JRaccoon@discuss.tchncs.deOPEnglish
    2·
    15 hours ago

    I like that metaphor, I’m gonna save it. And agreed, there’s going to be issues with legacy systems.

    Luckily, at my current job, all of our outside-facing legacy services already go through an SSL terminating reverse proxy. And we then use self-signed certs with much longer validity for internal traffic where needed.