Apple Pushes for Shorter Certificate Lifespans, Shortening to 47 Days by 2028
This article was updated on 28 Nov 2024 to reflect the latest announcement from Apple.
Apple accelerates the pace of certificate lifespan reduction
Apple accelerates the pace of certificate lifespan reduction
On 9th October 2024, Apple announced a significant proposal to further shorten the lifespan of SSL/TLS certificates. This move aims to enhance web security and reduce the risk of vulnerabilities.
This announcement came after Google’s 90-Day proposal and the CA/Browser Forum to incentivise automation for Public Certificate Authorities (CAs). With the emergence of quantum computing, the reduction of certificate lifespans is inevitable.
What exactly is the big change?
What exactly is the big change?
- The current maximum public TLS certificate you can request is 13 months (398 days).
- Certificate lifespans will be progressively reduced over the next few years, culminating in a maximum lifespan of 47 days by 2028.
Apple’s 47-Day Proposal
Maximum Certificate Lifespan | Date |
200 Days | 15 Mar 2026 |
100 Days | 15 Mar 2027 |
47 Days | 15 Mar 2028 |
How does this affect me?
How does this affect me?
This accelerated timeline for certificate lifespan reduction will have a direct impact on organisations:
- Increased Management Overhead: IT teams will need to manage the renewal of certificates at a higher frequency rate thus increasing the volume of certificate renewals.
- Potential for Disruptions: Manual processes may not be sufficient to keep up with the rapid pace of certificate expiration.
- Increased Chance of Mistake: With the increased manual generation of certificate requests, administrators are potentially exposed to increased chances of making mistakes.
Why the change?
Why the change?
The shortening of certificate lifespans is driven by the need to mitigate security risks associated with compromised certificates. Shorter lifespans make it more difficult for attackers to exploit vulnerabilities and compromise websites.
Stricter DCV Reuse
Stricter DCV Reuse
In addition to the shorter lifespans, Apple is also proposing a stricter DCV reuse.
Understanding DCV
Document Challenge Validation (DCV) is a security measure used by CAs to verify domain ownership. It involves adding a specific HTML file to the website’s root directory. This file proves that the applicant has control over the domain.
DCV reuse period will also be shortened, reaching a minimum of 10 days in 2028.
DCV Reuse Period | Date |
200 Days | 15 Mar 2026 |
100 Days | 15 Mar 2027 |
10 Days | 15 Mar 2028 |
The impact of shorter DCV reuse periods
With shorter DCV reuse periods, certificates issued using the same DCV challenge will have shorter lifespans. This means that CAs will need to perform more frequent validation checks to ensure that certificates remain valid and secure.
The Solution: Automated Certificate Lifecycle Management
The Solution: Automated Certificate Lifecycle Management
To address these challenges, organisations should adopt automated certificate lifecycle management (CLM) solutions. CLM tools can:
- Automate Renewals: Automatically renew certificates before they expire.
- Monitor Expirations: Proactively track certificate expiration dates.
- Centralise Management: Consolidate certificate management into a single platform.
Netrust: Your Partner in Certificate Management
Netrust: Your Partner in Certificate Management
Netrust offers a suite of comprehensive solutions to address the evolving landscape of certificate management.
Don’t let shorter certificate lifespans disrupt your operations. Contact Netrust today to learn how our CLM solutions can help you maintain security and compliance.