Apple’s proposal to shorten SSL/TLS certificate lifespans to 47 days by 2028 emphasizes enhanced security and automation. Shorter cycles reduce vulnerabilities, encourage automated certificate management, and push businesses to adopt efficient tools like ACME protocols. While the proposal isn’t yet mandatory, businesses must prepare by modernizing infrastructure, automating renewal processes, and training teams. Adapting early minimizes risks, ensuring compliance and security as industry standards evolve.

Businesses must adapt to new security requirements to protect their operations and customers. One such significant change is the recent proposal from Apple within the CA/Browser Forum (CA/B Forum) to reduce the maximum validity period for SSL/TLS certificates from 398 days to just 47 days. Sponsored by Sectigo, the proposal outlines a plan to gradually phase down the maximum term for public SSL/TLS certificates to just 47 days by March 2028. The ballot also proposes reducing the Domain Control Validation (DCV) reuse period, ultimately reaching a limit of 10 days also by March 2028.

This update follows Apple’s previous proposal in October, 2024, to gradually reduce certificates to 45 days by 2027. While the shortened certificate lifecycles are yet to become mandatory, the reduced proposal to 47 days signals a shift that businesses need to prepare for. Here’s what it means for the industry, the impact it will have, and how organizations can stay ahead.

What is the 47-day certificate proposal?

Historically, SSL/TLS certificates had a validity period of up to ten years before 2012, which was later shortened to three years to two, and then further reduced to one year (398 days) in 2020. This proposed 47-day lifespan would be a significant change, intended to strengthen online security by enabling faster responses to emerging threats and limiting the potential risks associated with compromised certificates. The steady reduction in certificate lifespans reflects a substantial shift in the industry’s approach to digital trust and resilience.

The primary motivation behind this change is enhanced security. Shorter certificate lifecycles reduce the time attackers have to exploit potential vulnerabilities; when certificates remain valid for extended periods, they are more likely to be compromised undetected, which poses serious risks. By decreasing certificate validity to 47 days, companies would be required to update and re-validate their certificates more frequently, thus reducing the time window in which an attacker could take advantage of a compromised certificate.

Another key factor driving this proposal is the need to encourage automation in certificate management. As certificate lifespans become shorter, automation is moving from a convenience to an essential practice for organizations. With a 47-day lifespan, businesses will need to automate their certificate renewal processes, as manual renewal methods that sufficed for longer periods will no longer be feasible. This emphasis on automation is, therefore, a central aspect of Apple’s proposal.

What does this mean for the industry?

The proposed 47-day certificate period brings several implications for the industry, particularly regarding the increased administrative burden for businesses still reliant on manual or semi-automated certificate renewal processes. With renewals becoming more frequent, companies will need to adopt more efficient systems and processes to prevent service disruptions. This shift necessitates a re-evaluation of current practices, with many organizations likely facing a steeper administrative load unless they adapt their systems accordingly.

Additionally, this change will drive the industry towards greater automation and zero-touch deployments. Robust automation solutions are becoming essential for efficiently managing certificate tasks, such as deployment, monitoring, renewal, and updates, without the need for manual intervention. Businesses will increasingly adopt advanced certificate lifecycle management (CLM) tools, like the ACME (Automatic Certificate Management Environment) protocol, to streamline these processes. This shift may also prompt Certificate Authorities (CAs) to adjust their offerings, potentially introducing new API capabilities and services that support automated renewals and facilitate integration into CI/CD (Continuous Integration/Continuous Deployment) pipelines.

Updates from the CA/B Forum and Apple’s proposal

Apple’s proposal has sparked significant discussions within the CA/B Forum, the industry’s regulatory body that oversees certificate standards. Apple, alongside other key browser vendors like Google, has been advocating for shorter certificate lifespans as a means to improve internet security. Here’s a summary of the key updates:

• Apple’s push for shortened lifespan: Apple has been one of the more vocal proponents for shorter certificates. The proposed 47-day period is seen as a logical progression following the reduction to 398 days. Apple argues that shorter certificates will promote better security hygiene and force the industry to modernize its practices, especially concerning automation.

• Industry divided: While some in the industry agree with Apple’s proposal, others argue that such a short validity period could be burdensome for businesses that have not yet fully automated their certificate management. Sectigo strongly support shortening certificates and have even sponsored the ballot.

• No set implementation date: Although the proposal has gained traction, it has not yet been adopted as a requirement. This gives businesses time to prepare, but it is clear that the trend is moving toward shorter validity periods. Businesses that start adapting now will be in a better position when and if the new rule is enforced.

How businesses can prepare

Given the likelihood of the 47-day certificate lifecycle becoming an industry standard, businesses must start preparing now. Here are some steps organizations can take to create a readiness plan:

• Invest in automation tools: If your business is not yet using automated CLM solutions, it’s time to invest in tools that support ACME or similar protocols. These tools can handle the entire lifecycle of a certificate – issuing, monitoring, renewing, and revoking – without manual intervention. Automation reduces the risk of expired certificates, ensuring continuous uptime and security.

• Evaluate your existing certificate infrastructure: Review the current state of your certificate infrastructure and identify areas that require modernization. Businesses should conduct a comprehensive audit to understand how many certificates they have, where they are used, and whether they have the capacity to support automated renewal.

• Implement centralized management systems: Centralized certificate management systems allow IT teams to oversee all certificates in one place, providing better visibility and control. This approach simplifies the renewal process and ensures that no certificate goes unnoticed.

• Educate and train your team: The shift to a 47-day certificate lifecycle requires a new skill set for IT teams. Invest in training programs to ensure your staff understands the automation tools and practices required to manage shorter certificate lifespans effectively.

Looking ahead

The proposal for a 47-day certificate lifecycle reflects the industry’s push for greater security and automation. While the change may not yet be a requirement, businesses should start preparing now. By investing in automation tools, centralizing certificate management, and training teams, organizations can stay ahead of the curve and minimize the risks associated with shorter certificate lifespans. This proactive approach not only ensures compliance with emerging standards but also reinforces the security and reliability of business operations in an increasingly digital world.

*** This is a Security Bloggers Network syndicated blog from Sectigo authored by Sectigo Team. Read the original post at: https://www.sectigo.com/resource-library/47-day-ssl-lifecycle-preparation