Earlier this week, on October 9, during the second day of the fall CA/Browser Forum Face-to-Face meeting, Apple revealed that it had published a draft ballot for commentary to GitHub. This proposal, which is sponsored by Sectigo, offers to incrementally phase maximum term for public SSL/TLS certificates down to 45 days between now and 2027. The draft also phases down the DCV reuse period over time, until it reaches 10 days in 2027.
Table of Contents
An accelerating trend of shortening digital certificate lifespans
This move from Apple follows Google’s previous announcement in its “Moving Forward, Together” roadmap of its intention to reduce the maximum validity for public SSL/TLS certificates from 398 days to 90 days, in a future policy update or a CA/B Forum ballot proposal.
At this stage, it’s important to note that it is just in the proposal for discussion stage, but it clearly sends a strong message to the industry with the two largest browsers – Google and now Apple – both advocating for shorter digital certificate lifespans.
If this ballot gets officially issued and passes in the coming months, this is what the reality could look like for businesses renewing their public SSL/TLS certificates:
Chart of certificates lifetimes expectations
Why are these numbers what they are?
The public certificate lifespans proposed by Apple may seem complex at first, but they follow a simple logic of ideal certificate term + early renewal window:
- 200 days = 180 days (6 months) + 20 days early renewal
- 100 days = 90 days (3 months) + 10 days early renewal
- 45 days = 42 days (6 weeks) + 3 days early renewal
But although there’s logic behind this, the gradual decrease in certificate lifespans will no doubt prove a headache for busy IT security teams, juggling with lots of certificates expiring at different times. It’s easy to predict that companies that use manual methods for tracking and monitoring certificate expiries will soon find themselves overwhelmed by the rapidly changing certificate lifespans. After all, what Apple is suggesting is that certificate lifecycles now change every year!
In addition to the reduction in maximum certificate terms, the DCV reuse period is also going to decrease as follows, if the proposal passes:
| Date | Maximum certificate term | DCV reuse period |
| 9/15/25 | 200 days | 200 days |
| 9/15/26 | 100 days | 100 days |
| 4/15/27 | 45 days | 45 days |
| 9/15/27 | — | 10 days |
It’s time to automate certificate lifecycle management
This proposal highlights the critical importance for businesses of all sizes to seriously consider and implement fully automated certificate lifecycle management (CLM). There’s real urgency for organizations to adopt a “set it and forget it” approach to certificate renewals, so any future change in renewal windows don’t impact their operations or cause unnecessary downtime and outages.
Sectigo is fully committed to supporting these initiatives from the browsers. Our decision to sponsor this latest ballot proposal is a testament to our dedication towards the integrity of the WebPKI ecosystem and the security of our customers. Sectigo Certificate Manager (SCM) is the most comprehensive certificate lifecycle management platform on the market, designed to proactively address the SSL challenges of tomorrow. Schedule a demo today to learn how your company can benefit from SCM, or start a free trial.
