In recent years, SSL / TLS certificate validity periods have been dramatically shortened, and the latest move by Apple marks a significant shift in how certificates will soon be managed. This trend began with Google’s initial push to reduce certificate lifespans to 90 days, aiming to tighten security and reduce the risks of compromised certificates. However, last week, Apple made headlines in the digital security world by introducing a draft ballot to shorten the maximum validity period for public SSL / TLS certificates to just 45 days by 2027. This move, unveiled during the CA/Browser Forum meetings, aligns with broader industry efforts led by major browsers, including Google, to enhance web security by reducing certificate lifespans.
The Push for 45-Day Certificates
Currently, the standard for public certificates is a maximum of 398 days. However, Apple’s proposal lays out a roadmap for gradually reducing this timeframe, with significant milestones in 2025, 2026, and finally reaching a 45 day maximum by April 2027. Notably, the proposal also includes a reduction in the Domain Control Validation (DCV) reuse period, which will shrink to just 10 days by September 2027.
Reducing certificate lifespan to 45 days is rooted as potential best practice according to Apple. By shortening the time, a certificate is valid, the risk window for potential compromise could narrow significantly. As the industry moves toward these tighter lifecycles, it forces organizations to stay vigilant about their certificate management, reducing the likelihood of breaches caused by stale or mis issued certificates.
The Challenge for IT Teams
This trend also aligns with the increasing adoption of automation tools, which are essential for managing the more frequent certificate renewals that shorter validity periods demand. ACME (Automated Certificate Management Environment) has emerged as a crucial tool in this context, especially for small to medium-sized businesses (SMBs).
While the security benefits of shorter certificate validity periods are clear, they also present significant operational challenges. Organizations relying on manual methods for tracking and renewing certificates may find it overwhelming to keep up with more frequent renewals. For busy IT teams, juggling certificates with varying expiration dates could lead to an increased risk of expired certificates causing service disruptions.
Through ACME, organizations can automate the issuance, installation, and renewal of certificates, ensuring that even with the shortened 45-day cycle, certificates are updated without manual intervention. This is particularly beneficial for smaller businesses that often lack the resources or time to manage certificates manually, yet still need to comply with the latest security standards and avoid outages due to expired certificates.
While the move to 45-day certificates by 2027 may appear challenging, especially for smaller organizations, automation tools like ACME make it achievable. By adopting ACME and similar automated solutions such as Certificate Automation Manager for our Enterprise customers organizations that implement these solutions now will be well-prepared for the future of web security and can avoid the pitfalls of manual certificate management.
Want to know more? Get in touch to find the best solution that suits your needs.
Organizations that implement these solutions now will be well-prepared for the future of web security and can avoid the pitfalls of manual certificate management.