New upcoming TLS certificate lifetimes

The CAB Forum has voted to update the maximum certificate lifetimes supported by browsers. This will impact all certificates that require to be trusted in browsers issued by any CA. The main push for these changes has come from Apple.

The advantage of shorter lifespans for certificates is the security improvements. It is likely to lead to the eventual removal of OCSP and much smaller CRLs both checks which can slow down browsers.

The proposed changes to certificate lifetimes are as follows

From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.
As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days. As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days. As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.

Ultimately this will lead to a major push to automate certificate issues. We already offer an API to allow for customers to automate the ordering and delivery of their HTTPS/TLS certificate. Some customers have integrated with the console to complete the automation process.

We are developing in partnership with our provides a process using the ACME protocol and we will be making this available to customers and resellers. The ACME protocol will allow for the complete automation of certificate issuance. This will be provided via a CaaS (Certificate as a Service) subscription.

Updates will be provided on how we will implement the CaaS and the options availabel to resellers.

Any certificates you purchase now will still remain valid and can be reissued until the end of the order expiry date. We will offer long term certificates the opportunity to transition to the CaaS model.