TOC

TLS 证书有效期将要缩短到 47 天

作者:
日期:
标签: TLS

  • 早期:没有明确标准,最长有效期 8 ~ 10 年。
  • 2011:证书最长有效期缩短至 5 年(60 months)。
  • 2015: 证书最长有效期所短到 1185 天 (3 years + 3 months)
  • 2018/03/01: 证书最长有效期所短到 825 天 (2 years + 3 months)
  • 2020/09/01: 证书最长有效期所短到 398 天 (1 year(366 days) + 1 month(31 days) + 1 day)
  • 2026/03/15: 证书最长有效期所短到 200 天(6 months + 15 days + 1 day)
    计划中,2025/04/13 得到 CA/Browser Forum 批准
  • 2027/03/15: 证书最长有效期所短到 100 天(3 months + 7 days + 1 day)
    计划中,2025/04/13 得到 CA/Browser Forum 批准
  • 2029/03/15: 证书最长有效期所短到 47 天(1 months + 15 days + 1 day)
    计划中,2025/04/13 得到 CA/Browser Forum 批准

参考资料与拓展阅读

  • Maximum Validity Changes for TLS/SSL to drop to 825 days in Q1 2018

    The CA/Browser Forum which governs the rules and practices for Certificate Authorities have approved a ballot that will reduce maximum certificate lifetimes for TLS/SSL certificates to 825 days (~27 months or ~2 years 3 months) from the current 1185 days (~39 months or 3 years 3 months).

    The new 825-day maximum validity period takes effect on March 1, 2018 for all TLS/SSL certificate types. This will affect QuoVadis Business SSL and QuoVadis Extended Validation policies within Trust/Link. For your convenience, QuoVadis will automatically replace all policies within Trust/Link as this date approaches.

  • How long are TLS/SSL certificate validity periods?

    TLS/SSL certificate validity periods are currently 398 days, or about 13 months. They were recently reduced by the CA/B Forum starting Sept. 1, 2020 in response to Apple’s announcement stating they would not accept certificates for two-year validity periods. DigiCert has instituted a 397-day validity period in order to account for time zone differences.

  • TLS Certificate Lifetimes Will Officially Reduce to 47 Days

    The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates and the reusability of CA-validated information in certificates. The first user impacts of the ballot take place in March 2026.

    The ballot was long debated in the CA/Browser Forum and went through several versions, incorporating feedback from certificate authorities and their customers. The voting period ended on April 11, 2025, closing one hotly contested chapter and allowing the certificate world to plan for what comes next.

    The new TLS certificate lifetime schedule

    The new ballot targets certificate validity of 47 days, making automation essential. Prior to this proposal by Apple, Google promoted a 90-day maximum lifetime, but they voted in favor of Apple’s proposal almost immediately after the voting period began.

    Here’s the schedule:

    • The maximum certificate lifetime is going down:

      • From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.
      • As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.
      • As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.
      • As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.

    • The maximum period during which domain and IP address validation information may be reused is going down:

      • From today until March 15, 2026, the maximum period during which domain validation information may be reused is 398 days.
      • As of March 15, 2026, the maximum period during which domain validation information may be reused is 200 days.
      • As of March 15, 2027, the maximum period during which domain validation information may be reused is 100 days.
      • As of March 15, 2029, the maximum period during which domain validation information may be reused is 10 days.

    • As of March 15, 2026, validations of Subject Identity Information (SII) can only be reused for 398 days, down from 825. SII is the company name and other information found in an OV (Organization Validated) or EV (Extended Validation) certificate, i.e., everything but the domain name or IP address protected by the certificate. This does not affect DV (Domain Validated) certificates, which have no SII.

      Empty heading

    Why 47 Days?

    47 days might seem like an arbitrary number, but it’s a simple cascade:

    • 200 days = 6 maximal month (184 days) + 1/2 30-day month (15 days) + 1 day wiggle room
    • 100 days = 3 maximal month (92 days) + ~1/4 30-day month (7 days) + 1 day wiggle room
    • 47 days = 1 maximal month (31 days) + 1/2 30-day month (15 days) + 1 day wiggle room

    Apple’s justification for the change

    In the ballot, Apple makes many arguments in favor of the moves, one of which is most worth calling out. They state that the CA/B Forum has been telling the world for years, by steadily shortening maximum lifetimes, that automation is essentially mandatory for effective certificate lifecycle management.

    The ballot argues that shorter lifetimes are necessary for many reasons, the most prominent being this: The information in certificates is becoming steadily less trustworthy over time, a problem that can only be mitigated by frequently revalidating the information.

    The ballot also argues that the revocation system using CRLs and OCSP is unreliable. Indeed, browsers often ignore these features. The ballot has a long section on the failings of the certificate revocation system. Shorter lifetimes mitigate the effects of using potentially revoked certificates. In 2023, CA/B Forum took this philosophy to another level by approving short-lived certificates, which expire within 7 days, and which do not require CRL or OCSP support.

    Clearing up confusion about the new rules

    Two points about the new rules are likely to cause confusion:

    1. The three years for the rule changes are 2026, 2027, and 2029, but the gap between the second set of years is two years long.
    2. As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days, but the maximum period during which domain validation information may be reused is only 10 days. Manual revalidation will still technically be possible, but doing so would be a recipe for failure and outages.

    As a certificate authority, one of the most common questions we hear from customers is whether they’ll be charged more to replace certificates more frequently. The answer is no. Cost is based on an annual subscription, and what we’ve learned is that, once users adopt automation, they often voluntarily move to more rapid certificate replacement cycles.

    For this reason, and because even the 2027 changes to 100-day certificates will make manual procedures untenable, we expect rapid adoption of automation long before the 2029 changes.

    Apple’s statement about automated certificate lifecycle management is indisputable, but it’s something we’ve been long preparing for. DigiCert offers multiple automation solutions through Trust Lifecycle Manager and CertCentral, including support for ACME. DigiCert’s ACME allows automation of DV, OV, and EV certificates and includes support for ACME Renewal Information (ARI).

    Get in touch for more information on how you can make the best use of automation.

    The latest developments in digital trust

    Want to learn more about topics like certificate managementautomation, and TLS/SSL? Subscribe to the DigiCert blog to ensure you never miss a story.

    Related Stories

发布于码厩技术博客的所有文章,除注明转载外,均为作者原创,欢迎转载,但必须注明出处。
尊重他人劳动,共创开源社区!转载请注明以下信息:
转载来源 码厩技术博客 []
原文标题:TLS 证书有效期将要缩短到 47 天
原文地址
知识共享许可协议
如果你有魔法,你可以看到一个评论框~