47-Day SSL/TLS Certificates by 2029
FatGrizzly
Hosting Provider
TLDR: CA/B had a voting(proposed by apple), to reduce SSL's validity to 47 days(applicable from 2029).
Every CA and CA Consumer voted in favor.
Timeline:
Phased Reduction Timeline
March 15, 2026:
Maximum certificate lifespan: 200 days
Domain validation reuse: 200 days (down from 398 days)
OV/EV validation reuse (SII): 398 days (down from 825 days)
March 15, 2027:
Maximum certificate lifespan: 100 days
Domain validation reuse: 100 days
March 15, 2029:
Maximum certificate lifespan: 47 days
Domain validation reuse: 10 days
https://www.ssl.com/article/preparing-for-47-day-ssl-tls-certificates/
This is sad. This is gonna be a pain in the ass for several people. Especially where ACME can't be implemented.
Thanked by (1)Not_Oles
Tagged:
Comments
Not pain, just more money to charge for such trivial task as ssl reneval.
Voting results:
https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/9768xgUUfhQ?pli=1
..and yet this puts even tighter restrictions on the whole "Don't trust without SSL" bullshit they've been pushing. The MitM attack is now the signing key.
My pronouns are like/subscribe.
Just DV SSLs affected?
Get some hosting at https://drserver.net .
Guessing this means those 90-day LetsEncrypt renewals get shortened to 45 days or something.
No.
looks like every validation method will apply to the 47 day rule.
It's very weird to be honest.
Yes.
The option of making your own SSL provider is there, if they get too aggressive just displaying a banner on your site "Use this SSL provider and it works" and you get a couple big sites doing it and the next thing you know you've kicked the entire establishment to the curb.
See also: https encrypted DNS, and every video host who got big and was upstaged by the next guy.
I can understand the argument that long term certs can be problematic if they get out of the owners control, eg if i steal a signature certificate i can sign anything with it for the rest of its validity term, and only in depth checks (that are rarely done) would show that the signature is invalid.
What i dont know is how "real" this problem is.
How common are cases where certs are abused that could be mitigated by reducing the validity timeframe?
Its hardly feasible to manually renew certificates every 90 days anyway, I don't think it matters so much.
Where can't ACME be implemented?
Whats the reason they keep lowering validity? Whats the benefit?
Hypothetically safer - “ enhance security by minimizing the time a compromised certificate can be exploited, promoting automation, and ensuring alignment with evolving cryptographic standar“
Can’t say I particularly care either way but for those sysadmins needing to update printers and other antediluvian tech it must suck
Good bash scripter could give a crap less to be honest. it's an inconvience to change scripts but not that big of deal.
Free Hosting at YetiNode | MicroNode| Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
I was thinking the same. I check my certificates for renewal every 15 days anyway. So it doesn't matter for me.
I think windows servers RDP has some limitations and acme can't be implemented there (at least the last time I tired, I had to generate the certificate package from linux and applied it to windows). Other then that, I guess this gives people more reason to implement acme for EVERYTHING!
It’s OK if you disagree with me. I can’t force you to be right!
IPv4: 32 bits of stress. IPv6: 128 bits of... well, more stress... Have anyone seen my subnet?
Why you cursing at me? What did I ever do to you? I even brought the Yeti to SG!!!
Free Hosting at YetiNode | MicroNode| Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
I would laugh at you if I did not spend 10 days trying to install and get Windows server remote desktop gateway to work so I could use windows programs from all connected machines. Had to read up forum posts on microsoft support site, blog posts and trial and errors, and when I finally got it working, it worked temporarily before it crapped up.
That was about 5 years ago and I still have nightmares about it...
It’s OK if you disagree with me. I can’t force you to be right!
IPv4: 32 bits of stress. IPv6: 128 bits of... well, more stress... Have anyone seen my subnet?
Will this be the final blow for EV/OV SSLs? Not too sure how a company would re-verify every <10 days in 2029.
lol