47-Day SSL/TLS Certificates by 2029

FatGrizzlyFatGrizzly Hosting Provider

TLDR: CA/B had a voting(proposed by apple), to reduce SSL's validity to 47 days(applicable from 2029).

Every CA and CA Consumer voted in favor.

Timeline:

Phased Reduction Timeline

March 15, 2026:
    Maximum certificate lifespan: 200 days
    Domain validation reuse: 200 days (down from 398 days)
    OV/EV validation reuse (SII): 398 days (down from 825 days)
March 15, 2027:
    Maximum certificate lifespan: 100 days
    Domain validation reuse: 100 days
March 15, 2029:
    Maximum certificate lifespan: 47 days
    Domain validation reuse: 10 days

https://www.ssl.com/article/preparing-for-47-day-ssl-tls-certificates/

This is sad. This is gonna be a pain in the ass for several people. Especially where ACME can't be implemented.

Thanked by (1)Not_Oles
Tagged:

Comments

  • Not pain, just more money to charge for such trivial task as ssl reneval.

  • ..and yet this puts even tighter restrictions on the whole "Don't trust without SSL" bullshit they've been pushing. The MitM attack is now the signing key.

    My pronouns are like/subscribe.

  • RadiRadi Hosting ProviderOG

    Just DV SSLs affected?

    Get some hosting at https://drserver.net .

  • Guessing this means those 90-day LetsEncrypt renewals get shortened to 45 days or something.

  • FatGrizzlyFatGrizzly Hosting Provider

    @Radi said:
    Just DV SSLs affected?

    No.

    looks like every validation method will apply to the 47 day rule.

    It's very weird to be honest.

    @SocksAreComfortable said:
    Guessing this means those 90-day LetsEncrypt renewals get shortened to 45 days or something.

    Yes.

    Thanked by (1)SocksAreComfortable
  • ZizzyDizzyMCZizzyDizzyMC Hosting Provider

    The option of making your own SSL provider is there, if they get too aggressive just displaying a banner on your site "Use this SSL provider and it works" and you get a couple big sites doing it and the next thing you know you've kicked the entire establishment to the curb.

    See also: https encrypted DNS, and every video host who got big and was upstaged by the next guy.

  • I can understand the argument that long term certs can be problematic if they get out of the owners control, eg if i steal a signature certificate i can sign anything with it for the rest of its validity term, and only in depth checks (that are rarely done) would show that the signature is invalid.

    What i dont know is how "real" this problem is.
    How common are cases where certs are abused that could be mitigated by reducing the validity timeframe?

  • Its hardly feasible to manually renew certificates every 90 days anyway, I don't think it matters so much.
    Where can't ACME be implemented?

    Thanked by (1)skhron
  • Whats the reason they keep lowering validity? Whats the benefit?

    Thanked by (1)imok
  • havochavoc OGContent WriterSenpai

    @secure said:
    Whats the reason they keep lowering validity? Whats the benefit?

    Hypothetically safer - “ enhance security by minimizing the time a compromised certificate can be exploited, promoting automation, and ensuring alignment with evolving cryptographic standar“

    Can’t say I particularly care either way but for those sysadmins needing to update printers and other antediluvian tech it must suck

    Thanked by (1)skorous
  • AuroraZeroAuroraZero Hosting ProviderRetired

    Good bash scripter could give a crap less to be honest. it's an inconvience to change scripts but not that big of deal.

  • @AuroraZero said:
    Good bash scripter could give a crap less to be honest. it's an inconvience to change scripts but not that big of deal.

    I was thinking the same. I check my certificates for renewal every 15 days anyway. So it doesn't matter for me.

    I think windows servers RDP has some limitations and acme can't be implemented there (at least the last time I tired, I had to generate the certificate package from linux and applied it to windows). Other then that, I guess this gives people more reason to implement acme for EVERYTHING!

    Never make the same mistake twice. There are so many new ones to make.
    It’s OK if you disagree with me. I can’t force you to be right.

  • AuroraZeroAuroraZero Hosting ProviderRetired

    @somik said: windows servers RDP

    Why you cursing at me? What did I ever do to you? I even brought the Yeti to SG!!!

  • @AuroraZero said:

    @somik said: windows servers RDP

    Why you cursing at me? What did I ever do to you? I even brought the Yeti to SG!!!

    I would laugh at you if I did not spend 10 days trying to install and get Windows server remote desktop gateway to work so I could use windows programs from all connected machines. Had to read up forum posts on microsoft support site, blog posts and trial and errors, and when I finally got it working, it worked temporarily before it crapped up.

    That was about 5 years ago and I still have nightmares about it...

    Never make the same mistake twice. There are so many new ones to make.
    It’s OK if you disagree with me. I can’t force you to be right.

  • @FatGrizzly said:

    @Radi said:
    Just DV SSLs affected?

    No.

    looks like every validation method will apply to the 47 day rule.

    It's very weird to be honest.

    @SocksAreComfortable said:
    Guessing this means those 90-day LetsEncrypt renewals get shortened to 45 days or something.

    Yes.

    Will this be the final blow for EV/OV SSLs? Not too sure how a company would re-verify every <10 days in 2029.

    lol

Sign In or Register to comment.