It’s official: the CA/Browser Forum has voted to approve Ballot SC-081v3, which will significantly reduce TLS certificate lifespans over the next few years. This is a major shift in the web security landscape that will affect millions of website operators.
The New Certificate Schedule
Here’s the approved timeline for certificate validity reduction:
| Certificate issued on or after | Certificate issued before | Maximum Validity Period |
|---|---|---|
| March 15, 2026 | 398 days | |
| March 15, 2026 | March 15, 2027 | 200 days |
| March 15, 2027 | March 15, 2029 | 100 days |
| March 15, 2029 | 47 days |
This means by March 2029, all newly issued TLS certificates will have a maximum lifespan of just 47 days—less than 7 weeks!
A Solution Looking for a Problem?
While the CA/Browser Forum moves forward with shorter certificate lifetimes, it’s worth examining whether this approach truly addresses a significant security concern or creates more problems than it solves.
Security expert Steve Gibson makes compelling arguments questioning the necessity of such short certificate lifespans. In his analysis, he points out that:
- Certificate theft is not a demonstrated widespread problem. Despite closely tracking security news for years, Gibson notes there have been “exactly zero instances of website certificates being stolen and abused” that he can recall.
- Certificate revocation is improving. The industry is moving toward more effective revocation methods using browser-side Certificate Revocation Lists (CRLs) based on Bloom Filter technology, which can respond to compromises in minutes or hours rather than days.
- Short certificates create a single point of failure. With 6-day certificates (which Let’s Encrypt has announced), websites become critically dependent on the certificate authority’s continuous availability. If a service like Let’s Encrypt were to experience extended downtime—perhaps from a DDoS attack similar to what the Internet Archive recently faced—millions of websites could become effectively inaccessible as their certificates expire.
- Certificate theft alone is insufficient for attack. Simply possessing a stolen certificate doesn’t enable website spoofing. An attacker would also need to redirect user traffic through DNS poisoning or BGP manipulation—both challenging attacks with their own mitigations.
OCSP Stapling: A Better Alternative?
One approach that addresses certificate revocation concerns without the drawbacks of ultra-short certificate lifespans is OCSP (Online Certificate Status Protocol) Stapling. With OCSP Stapling:
- Web servers periodically obtain a time-stamped OCSP response from the CA
- This response is “stapled” to the TLS handshake when a client connects
- Clients can verify certificate validity without separate queries to the CA
- Privacy is maintained as browsers don’t need to query CAs directly
OCSP Stapling provides near real-time revocation status without creating critical dependencies on continuous CA availability.
What This Means for Website Operators
Website operators have several years to prepare for these changes. If you’re currently managing websites:
- Ensure your certificate renewal processes are fully automated
- Consider redundant certificate providers if possible
- Implement monitoring for certificate expiration
- Stay informed about developments in certificate management standards
For those who prioritize reliability over quick revocation for theoretical compromises, longer-duration certificates from commercial CAs may remain an option until the full implementation of the new standards in 2029.
Conclusion
While the industry moves toward shorter certificate lifespans, it’s important to consider whether this approach truly enhances security or simply creates new vulnerabilities. Effective certificate revocation mechanisms combined with reasonable certificate lifespans might provide better overall security without the operational risks of extremely short-lived certificates.
The transition to shorter lifespans is now inevitable, but the discussion about best practices in certificate management should continue as we learn from real-world implementation of these new standards.