In a bold move that could reshape the landscape of digital security, Apple has proposed to shorten the lifespan of public SSL/TLS certificates to just 47 days by 2028. Announced at the latest CA/Browser Forum meeting, this draft proposal follows Google’s earlier push to limit certificate validity to 90 days. If adopted, it could accelerate the ongoing trend of reducing certificate lifespans in a bid to enhance internet security.
Kevin Bocek, chief innovation officer at Venafi, a CyberArk company, views this move as positive for machine identity security across the globe. “Apple has now joined the likes of Google in pushing for shorter certificate lifespans in a bid to improve online security. By putting the issue up for a vote among Certification Authority Browser Forum (CA/B Forum) members, Apple is making a clear indication of its intentions to follow in Google’s footsteps—with Google poised to mandate 90-day certificates in the near future. By taking this to the wider community, it could have an even bigger impact than Google’s proposed changes to Chrome. And by proposing to cut certificate lifespans to 47 days by 2028, Apple is taking things even further, with the trend of shrinking lifespans set to continue.”
Understanding the Shift Toward Shorter Lifespans
TLS certificates serve as a critical component in securing communication over the internet, ensuring data integrity and authenticity. Historically, certificates could be valid for several years; however, recent trends have shifted toward much shorter validity periods. Apple’s draft ballot aims to gradually reduce certificate lifespans from the current standard of 398 days to a mere 47 days by 2028, with key milestones at 200 days in 2026 and 100 days in 2027.
The Rationale Behind the Proposal
The primary reason for this significant reduction is to minimize the risk window for potential compromise. Shorter lifespans mean certificates are replaced more frequently, reducing the opportunity for malicious actors to exploit outdated or mis-issued certificates. This aligns with broader industry efforts to tighten security and ensure that organizations remain vigilant in managing their digital certificates.
The challenges for IT security teams
While the security benefits are clear, the proposal also presents significant operational challenges, particularly for IT security teams. Managing certificate renewals will become more complex, with increased frequency and reduced Domain Control Validation (DCV) reuse periods—from 200 days down to 10 days by 2027. For organizations relying on manual tracking methods, these changes could prove overwhelming, leading to an increased risk of service disruptions due to expired certificates.
When asked recently about their views on Google’s proposal to reduce certificate lifespans to 90 days, 81% of security leaders believe it will amplify existing challenges they have around managing certificates, with nearly three-quarters (73%) saying it could cause “chaos” and a further 75% saying it could even make them less secure. Worryingly, 77% think more outages are ‘inevitable’. With Apple planning to cut certificate lifespans in half, things could get even more chaotic.
Automation as the key to success
One of the reasons that so many companies are feeling alarmed is that they do not have the right tools and resources in place to manage their machine identities at scale. Just 8% of organizations fully automate all aspects of TLS certificate management across the entire enterprise – with almost a third (29%) still relying on their own software and spreadsheets to manage the problem. As a result, organizations take 2-3 working days (21 and ¾ hours) to manually deploy a certificate. Reducing lifespans from 398 days to 90 days, will quintuple the effort required to manage certificates through their lifetime—to reduce even further to 47 days will be a 10-fold increase from where we are today.
To effectively manage the challenges posed by shorter certificate lifespans, organizations are increasingly turning to certificate lifecycle automation tools to manage the issuance, installation, and renewal of certificates, ensuring that even with the shortened 47-day cycle, certificates are updated without manual intervention.
Preparing for the future
While the shift to 47-day certificates by 2028 may seem daunting, especially for smaller organizations, adopting automation tools can make the transition achievable. By implementing automated certificate lifecycle management solutions now, businesses can ensure they are well-prepared for future changes in web security requirements.
The move towards shorter certificate lifespans underscores the need for organizations to adopt a “set it and forget it” approach to certificate renewals. This approach not only mitigates the risks associated with manual certificate management but also ensures that future changes in renewal windows do not impact operations or cause unnecessary downtime.
Conclusion
Apple’s proposal to shorten SSL/TLS certificate lifespans marks a significant shift in how digital certificates will be managed in the coming years. While the proposed changes present challenges, they also offer an opportunity for businesses to enhance their security posture by adopting automated certificate management solutions. By staying ahead of these trends, organizations can ensure they are well-equipped to navigate the evolving landscape of web security and avoid the pitfalls of manual certificate management.
In this rapidly evolving landscape, those who adapt early will not only safeguard their operations but also gain a competitive edge in the realm of digital security. It’s time for organizations to act decisively and prepare for the changes ahead.
Scott Carter is director of content strategy and experience for machine identity security at CyberArk.