Maximum TLS Lifecycle is Now 200 Days

As of the start of this week, the maximum certificate lifespan for TLS certificates has now dropped to 200 days. The change is the first step in a process established by the CA/Browser Forum last year. (CAB is the governing body comprised of certificate authorities, browser vendors, and operating system providers, that sets the Baseline Requirements for publicly trusted SSL/TLS certificates.)

The next changes will be in March 15, 2027, where maximum validity period of subscriber certificates will drop to 100 days, then on March 5, 2029, it will be shortened to 47 days. A number of the Certificate authorities have already moved to issuing certificates with a maximum 199-day validity already.

Why? The primary driver is the recognition that trust degrades over time. A certificate issued for over a year is a liability in a fast-moving threat landscape.

Firstly, its to Reduce the Window of Exposure;

If a private key is stolen or a certificate is compromised, it remains valid until it expires or is manually revoked. Revocation systems (like CRL and OCSP) are notoriously unreliable and often bypassed by browsers for performance reasons. By shortening the lifespan to 200 days, the "shelf life" of a stolen key is cut in half, naturally limiting the time an attacker can use it.

Then there is Promoting "Crypto-Agility";

Security standards change. When vulnerabilities are found in encryption algorithms (like the transition away from SHA-1), it can take years to flush old, weak certificates out of the ecosystem. Shorter lifespans allow the entire internet to switch to newer, stronger cryptographic standards much faster.

Forcing Automation;

Manual certificate management is a leading cause of website outages and issues. By moving toward a 200-day (and eventually 47-day) cycle, the industry is effectively making automation mandatory. This forces organisations to adopt tools like the ACME protocol (Automated Certificate Management Environment), which handles renewals automatically, reducing human error.

Lastly, Frequent Identity Validation;

A lot can change in a year, businesses are sold, domains change hands, and server infrastructure is reassigned. Frequent renewals (and the accompanying 200-day limit on data reuse) ensure that the entity owning the certificate still actually controls the domain and is who they claim to be.

You can find more info here:

https://cabforum.org/working-groups/server/baseline-requirements/requirements/?is=6055c60558f128c7d4263ed6b32d80434f235971f8bf2e5a51be468de2a1bd9e#632-certificate-operational-periods-and-key-pair-usage-periods

Moving to 199-day validity for public TLS certificates Reminder: For SSL Customers, The 200-Day Certificate Deadline Arrives March 11, 2026 - SSL.com

#certchanges #certificates #danweis #boardroomcyber #hackproofyourself