Why 47 Days?
47 days might seem like an arbitrary number, but it’s a simple cascade:
- 200 days = 6 maximal month (184 days) + 1/2 30-day month (15 days) + 1 day wiggle room
- 100 days = 3 maximal month (92 days) + ~1/4 30-day month (7 days) + 1 day wiggle room
- 47 days = 1 maximal month (31 days) + 1/2 30-day month (15 days) + 1 day wiggle room
Apple’s justification for the change
In the ballot, Apple makes many arguments in favor of the moves, one of which is most worth calling out. They state that the CA/B Forum has been telling the world for years, by steadily shortening maximum lifetimes, that automation is essentially mandatory for effective certificate lifecycle management.
The ballot argues that shorter lifetimes are necessary for many reasons, the most prominent being this: The information in certificates is becoming steadily less trustworthy over time, a problem that can only be mitigated by frequently revalidating the information.
The ballot also argues that the revocation system using CRLs and OCSP is unreliable. Indeed, browsers often ignore these features. The ballot has a long section on the failings of the certificate revocation system. Shorter lifetimes mitigate the effects of using potentially revoked certificates. In 2023, CA/B Forum took this philosophy to another level by approving short-lived certificates, which expire within 7 days, and which do not require CRL or OCSP support.
Clearing up confusion about the new rules
Two points about the new rules are likely to cause confusion:
- The three years for the rule changes are 2026, 2027, and 2029, but the gap between the second set of years is two years long.
- As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days, but the maximum period during which domain validation information may be reused is only 10 days. Manual revalidation will still technically be possible, but doing so would be a recipe for failure and outages.
As a certificate authority, one of the most common questions we hear from customers is whether they’ll be charged more to replace certificates more frequently. The answer is no. Cost is based on an annual subscription, and what we’ve learned is that, once users adopt automation, they often voluntarily move to more rapid certificate replacement cycles.
For this reason, and because even the 2027 changes to 100-day certificates will make manual procedures untenable, we expect rapid adoption of automation long before the 2029 changes.
Apple’s statement about automated certificate lifecycle management is indisputable, but it’s something we’ve been long preparing for. DigiCert offers multiple automation solutions through Trust Lifecycle Manager and CertCentral, including support for ACME. DigiCert’s ACME allows automation of DV, OV, and EV certificates and includes support for ACME Renewal Information (ARI).
Get in touch for more information on how you can make the best use of automation.
The latest developments in digital trust
Want to learn more about topics like certificate management, automation, and TLS/SSL? Subscribe to the DigiCert blog to ensure you never miss a story.