Navigate on SwissID

CA/Browser Forum Updates

The CA/B Forum continuously makes new decisions that adapt the Baseline Requirements for TLS/SSL certificates, S/MIME or Code Signing and more. These changes have a direct impact on Certificate Authorities and certificate users.

On this page you will find:

  • All relevant CA/B Forum decisions for the DACH region explained in an understandable way

  • Concrete recommendations for IT security managers

  • Timeline of the most important deadlines

  • Unique: Technical analysis in German, French and English

The most important deadlines at a glance

Deadline

Title

Affected are

July 2026

Reusable DNS validation planned for SwissSign certificates

TLS/SSL + S/MIME

15 March 2027

SwissSign: to be announced

Reduction of the maximum term to 100 days

SwissSign: 98 days

TLS/SSL Certificates

15 March 2027

SwissSign: to be announced

Purpose of use ‘Client Authentication’ no longer used for public SSL/TLS certificates

TLS/SSL Certificates

15 March 2029

SwissSign: to be announced

Reduction of the maximum running time to 47 days

SwissSign: 45 days

TLS/SSL Certificates

High relevance for certificate users

47-day turnaround for SSL/TLS, 10 days for domain validations

Ballot SC-094

Relevance for certificate users: ★★★★★ (5/5)

Affected users: All organisations with public TLS/SSL certificates

Affected certificate types: TLS/SSL (DV, OV, EV)

Implementation effort: ★★★★★ (5/5) – Automation is mandatory (ACME, REST API, CLM solution)

CA/B Forum status: Ballot SC-094 – Approved 4 April 2025. Phased implementation: 200 days (March 2026) → 100 days (March 2027) → 47 days (March 2029)

SwissSign status: Transition to daily validity from January 2026, reduction to 200 days 09 March 2026

Deadline for certificate users: 15 March 2026 (first reduction to 200 days)

All details

Client Authentication in SSL/TLS certificates no longer supported from 2027

Google Chrome Root Program Policy

Relevance for certificate users: ★★★★☆ (4/5)

Affected users: Organisations using public TLS certificates for client authentication

Affected certificate types: Public TLS server certificates with Extended Key Usage ‘Client Authentication’

Implementation effort: ★★★☆☆ (3/5) – Use of private certificates or S/MIME

CA/B Forum status: Google Chrome Root Program Policy – Effective 15 March 2027

SwissSign status: Implementation for SSL/TLS certificates to be announced

Deadline for certificate users: 15 March 2027

All details

Moderate relevance for certificate users

Certificate Authorities validate DNSSEC

Ballot SC-085v2 & SMC014

Relevance for certificate users: ★★☆☆☆ (2/5)

Affected users: Organisations with domains with DNSSEC-signed zones (TLS: CAA + DCV-Lookups, S/MIME: CAA-Lookups)

Affected certificate types: TLS (DV, OV, EV) and S/MIME certificates

Implementation effort: ★★☆☆☆ (2/5) – No effort if DNSSEC is already correctly configured; moderate effort for DNSSEC reconfiguration or correction

SwissSign status: Go-Live planned for early March 2026

Deadline for certificate users: If available: latest by 15 March 2026 Check DNSSEC configuration

All details

Reusable DNS Validation

Ballot SC-088v3

Relevance for certificate users: ★★☆☆☆ (2/5) – rising to ★★★★☆ (4/5) by 2029

Affected users: Organisations with automated certificate issuance (MPKI, CLM platforms) – particularly relevant from 2029

Affected certificate types: All TLS/SSL and S/MIME certificates – each requires domain validation

Implementation effort: ★★☆☆☆ (2/5) – one-time DNS setup per domain, revalidation at least every 10 days (ready for 2029)

CA/B Forum status: SC-088v3 (Server Certificate) adopted 9 October 2025, effective 11 November 2025

SwissSign status: Go-live planned for summer 2026, revalidation every 8 days

Deadline for certificate users: None (optional method)

Links to ballots:

All details

Certificate Authorities will validate domains from multiple network locations from September 2025

CA/B Forum Ballots SC-067 (TLS) & SMC-010 (S/MIME)

Relevance for certificate users: ★★★☆☆ (3/5)

Affected users: Organisations with restrictive firewall rules, geo-restricted DNS resolutions, or IP whitelists for validation servers

Affected certificate types: TLS/SSL certificates, S/MIME certificates (both for publicly trusted certificates)

Implementation effort: ★★☆☆☆ (2/5) – Low for most organisations; medium to high only for restrictive network configurations (firewalls, geo-blocking, IP whitelists)

Status CA/B Forum:

  • SC-067 (TLS): Adopted August 5, 2024, effective September 15, 2025

  • SMC-010 (S/MIME): Adopted December 22, 2024, Compliance Date May 15, 2025, Full Implementation September 15, 2025

  • Gradual increase: March 2026 (3 perspectives), June 2026 (4 perspectives), December 2026 (5 perspectives)

SwissSign status: Introduction in February 2025; gradual increase until December 2026

Deadline for certificate users: No adjustment required

All details

Good to know for certificate users

EUID, the new internationally unique organisational identifier

Ballot SMC011

Relevance for certificate users: ★★☆☆☆ (2/5)

Affected users: German organisations with commercial register entry (ambiguous HR numbers), OV/EV certificates

Affected certificate types: OV and EV SSL/TLS, S/MIME with OrganisationIdentifier

Implementation effort: ★☆☆☆☆ (1/5) – No action required (automatic CA-side implementation)

Status CA/B Forum: Ballot SMC011 (S/MIME BR) – Adopted 31 March 2025, Effective 14 May 2025

Status SwissSign: Already implemented

Deadline for certificate users: None (CA-side change)

All details

Certificate Management 2026: Webinar on PKI Best Practice for Medium to Large Organisations

From the gradual reduction of validity periods to the increasing challenges of private certificates and post-quantum cryptography: join our Head of Certificate Services, Alain Favre, for a session on public key infrastructure management best practice in 2026 (in English):

  • Challenges: Reduction of certificate lifespans, PQC, digital sovereignty

  • Three pillars for your PKI management in 2026: discovery, governance, automation

  • Demo of SwissSign's Certificate Lifecycle Management powered by Evertrust

  • Implementation and practical advice

Thursday, 21 May, 11-12am

Our webinar is primarily aimed at organisations in regulated industries such as banking, insurance, the public sector or critical infrastructure, or at companies that work with these organisations.

(By registering for the webinar, you consent to SwissSign AG processing your data for the purpose of contacting you and/or for advertising purposes. More on www.swisssign.com/webinar-privacy.)

Register now

Frequently Asked Questions (FAQ)

The CA/Browser Forum is a voluntary organisation of Certificate Authorities (CAs) and browser manufacturers (e.g. Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari), which defines standards for publicly trusted TLS/SSL and S/MIME certificates as well as rules for Certificate Authorities that are recognised as trustworthy by browsers.

Certificate Authorities must meet the so-called Baseline Requirements to remain in browser root stores. Certificate users are indirectly affected when changes require new validation methods or certificate validity periods are reduced.

The CA/B Forum has passed 15-20 ballots per year over the past two years, most of which concern TLS/SSL certificates.

All official ballots are available on cabforum.org. SwissSign offers the most important ballots in German with practical recommendations for action.

The CA/B Forum documents are technically complex and only available in English. SwissSign not only translates the relevant changes, but also explains them in a practical way for IT security managers in the DACH region.

About this site

Objective: SwissSign documents all relevant CA/B Forum ballots that have an impact on certificate users in the DACH region. We focus on practical changes with concrete recommendations for action.

Selection criteria:

  • Ballots with direct action relevance for users

  • CA-internal changes with possible impact on users

  • Focus on TLS/SSL and S/MIME certificates

Sources:

  • CA/B Forum Official Website (cabforum.org) + Documentation on GitHub

  • SwissSign Team

SwissSign

Ressources

Knowledge

Support