<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
From: <a href="https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days">
https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days</a></div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates and the reusability of CA-validated information in certificates. The first user impacts of the ballot take
place in March 2026.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
The ballot was long debated in the CA/Browser Forum and went through several versions, incorporating feedback from certificate authorities and their customers. The voting period ended on April 11, 2025, closing one hotly contested chapter and allowing the certificate
world to plan for what comes next.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
The new TLS certificate lifetime schedule</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
The new ballot targets certificate validity of 47 days, making automation essential. Prior to this proposal by Apple, Google promoted a 90-day maximum lifetime, but they voted in favor of Apples proposal almost immediately after the voting period began.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Heres the schedule:</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
The maximum certificate lifetime is going down:</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
The maximum period during which domain and IP address validation information may be reused is going down:</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
From today until March 15, 2026, the maximum period during which domain validation information may be reused is 398 days.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
As of March 15, 2026, the maximum period during which domain validation information may be reused is 200 days.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
As of March 15, 2027, the maximum period during which domain validation information may be reused is 100 days.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
As of March 15, 2029, the maximum period during which domain validation information may be reused is 10 days.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
As of March 15, 2026, validations of Subject Identity Information (SII) can only be reused for 398 days, down from 825. SII is the company name and other information found in an OV (Organization Validated) or EV (Extended Validation) certificate, i.e.,
everything but the domain name or IP address protected by the certificate. This does not affect DV (Domain Validated) certificates, which have no SII.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Why 47 Days?</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
47 days might seem like an arbitrary number, but its a simple cascade:</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
200 days = 6 maximal month (184 days) + 1/2 30-day month (15 days) + 1 day wiggle room</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
100 days = 3 maximal month (92 days) + ~1/4 30-day month (7 days) + 1 day wiggle room</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
47 days = 1 maximal month (31 days) + 1/2 30-day month (15 days) + 1 day wiggle room</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Apples justification for the change</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
In the ballot, Apple makes many arguments in favor of the moves, one of which is most worth calling out. They state that the CA/B Forum has been telling the world for years, by steadily shortening maximum lifetimes, that automation is essentially mandatory
for effective certificate lifecycle management.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
The ballot argues that shorter lifetimes are necessary for many reasons, the most prominent being this: The information in certificates is becoming steadily less trustworthy over time, a problem that can only be mitigated by frequently revalidating the information.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
The ballot also argues that the revocation system using CRLs and OCSP is unreliable. Indeed, browsers often ignore these features. The ballot has a long section on the failings of the certificate revocation system. Shorter lifetimes mitigate the effects of
using potentially revoked certificates. In 2023, CA/B Forum took this philosophy to another level by approving short-lived certificates, which expire within 7 days, and which do not require CRL or OCSP support.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Clearing up confusion about the new rules</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
Two points about the new rules are likely to cause confusion:</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
The three years for the rule changes are 2026, 2027, and 2029, but the gap between the second set of years is two years long.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days, but the maximum period during which domain validation information may be reused is only 10 days. Manual revalidation will still technically be possible, but doing so would
be a recipe for failure and outages.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
As a certificate authority, one of the most common questions we hear from customers is whether theyll be charged more to replace certificates more frequently. The answer is no. Cost is based on an annual subscription, and what weve learned is that, once users
adopt automation, they often voluntarily move to more rapid certificate replacement cycles.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
For this reason, and because even the 2027 changes to 100-day certificates will make manual procedures untenable, we expect rapid adoption of automation long before the 2029 changes.</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, "Aptos_EmbeddedFont", "Aptos_MSFontService", Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Apples statement about automated certificate lifecycle management is indisputable, but its something weve been long preparing for. DigiCert offers multiple automation solutions through Trust Lifecycle Manager and CertCentral, including support for ACME.
DigiCerts ACME allows automation of DV, OV, and EV certificates and includes support for ACME Renewal Information (ARI).</div>
</body>
</html>