CA/Browser Forum Updates

The CA/B Forum continuously makes new decisions that adapt the Baseline Requirements for TLS/SSL certificates, S/MIME or Code Signing and more. These changes have a direct impact on Certificate Authorities and certificate users.

On this page you will find:

All relevant CA/B Forum decisions for the DACH region explained in an understandable way
Concrete recommendations for IT security managers
Timeline of the most important deadlines
Unique: Technical analysis in German, French and English

The most important deadlines at a glance

Deadline	Title	Affected are
March 15, 2026	If available: Check DNSSEC configuration by 15 March 2026 at the latest	TLS/SSL Certificates
March 15, 2026	Reduction of the maximum term to 200 days	TLS/SSL Certificates
June 15, 2026	Purpose of use ‘Client Authentication’ no longer used for public SSL/TLS certificates	TLS/SSL Certificates
March 15, 2027	Reduction of the maximum term to 100 days	TLS/SSL Certificates
March 15, 2029	Reduction of the maximum running time to 47 days	TLS/SSL Certificates

High relevance for certificate users

47-day turnaround for SSL/TLS, 10 days for domain validations

Ballot SC-094

Relevance for certificate users: ★★★★★ (5/5)

Affected users: All organisations with public TLS/SSL certificates

Affected certificate types: TLS/SSL (DV, OV, EV)

Implementation effort: ★★★★★ (5/5) – Automation is mandatory (ACME, REST API, CLM solution)

CA/B Forum status: Ballot SC-094 – Approved 4 April 2025. Phased implementation: 200 days (March 2026) → 100 days (March 2027) → 47 days (March 2029)

SwissSign status: Transition to daily validity from January 2026, reduction to 200 days planned for mid-March. Further deadlines to follow.

Deadline for certificate users: 15 March 2026 (first reduction to 200 days)

All details

Client Authentication in SSL/TLS certificates no longer supported from 2026

Google Chrome Root Program Policy

Relevance for certificate users: ★★★★☆ (4/5)

Affected users: Organisations using public TLS certificates for client authentication (Mutual TLS)

Affected certificate types: Public TLS server certificates with Extended Key Usage ‘Client Authentication’

Implementation effort: ★★★☆☆ (3/5) – Use of private certificates or S/MIME

CA/B Forum status: Google Chrome Root Program Policy – Effective 15 June 2026

SwissSign status: Implementation for SSL/TLS certificates in Q2-2026

Deadline for certificate users: 15 June 2026

All details

Moderate relevance for certificate users

Certificate Authorities validate DNSSEC

Ballot SC-085v2 & SMC014

Relevance for certificate users: ★★☆☆☆ (2/5)

Affected users: Organisations with domains with DNSSEC-signed zones (TLS: CAA + DCV-Lookups, S/MIME: CAA-Lookups)

Affected certificate types: TLS (DV, OV, EV) and S/MIME certificates

Implementation effort: ★★☆☆☆ (2/5) – No effort if DNSSEC is already correctly configured; moderate effort for DNSSEC reconfiguration or correction

SwissSign status: Go-Live planned for mid-February 2026

Deadline for certificate users: If available: latest by 15 March 2026 Check DNSSEC configuration

All details

Certificate Authorities will validate domains from multiple network locations from September 2025

CA/B Forum Ballots SC-067 (TLS) & SMC-010 (S/MIME)

Relevance for certificate users: ★★★☆☆ (3/5)

Affected users: Organisations with restrictive firewall rules, geo-restricted DNS resolutions, or IP whitelists for validation servers

Affected certificate types: TLS/SSL certificates, S/MIME certificates (both for publicly trusted certificates)

Implementation effort: ★★☆☆☆ (2/5) – Low for most organisations; medium to high only for restrictive network configurations (firewalls, geo-blocking, IP whitelists)

Status CA/B Forum:

SC-067 (TLS): Adopted August 5, 2024, effective September 15, 2025
SMC-010 (S/MIME): Adopted December 22, 2024, Compliance Date May 15, 2025, Full Implementation September 15, 2025
Gradual increase: March 2026 (3 perspectives), June 2026 (4 perspectives), December 2026 (5 perspectives)

SwissSign status: Introduction in February 2025; gradual increase until December 2026

Deadline for certificate users: No adjustment required

All details

Good to know for certificate users

EUID, the new internationally unique organisational identifier

Ballot SMC011

Relevance for certificate users: ★★☆☆☆ (2/5)

Affected users: German organisations with commercial register entry (ambiguous HR numbers), OV/EV certificates

Affected certificate types: OV and EV SSL/TLS, S/MIME with OrganisationIdentifier

Implementation effort: ★☆☆☆☆ (1/5) – No action required (automatic CA-side implementation)

Status CA/B Forum: Ballot SMC011 (S/MIME BR) – Adopted 31 March 2025, Effective 14 May 2025

Status SwissSign: Already implemented

Deadline for certificate users: None (CA-side change)

All details

Frequently Asked Questions (FAQ)

The CA/Browser Forum is a voluntary organisation of Certificate Authorities (CAs) and browser manufacturers (e.g. Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari), which defines standards for publicly trusted TLS/SSL and S/MIME certificates as well as rules for Certificate Authorities that are recognised as trustworthy by browsers.

Certificate Authorities must meet the so-called Baseline Requirements to remain in browser root stores. Certificate users are indirectly affected when changes require new validation methods or certificate validity periods are reduced.

The CA/B Forum has passed 15-20 ballots per year over the past two years, most of which concern TLS/SSL certificates.

All official ballots are available on cabforum.org. SwissSign offers the most important ballots in German with practical recommendations for action.

The CA/B Forum documents are technically complex and only available in English. SwissSign not only translates the relevant changes, but also explains them in a practical way for IT security managers in the DACH region.

About this site

Objective: SwissSign documents all relevant CA/B Forum ballots that have an impact on certificate users in the DACH region. We focus on practical changes with concrete recommendations for action.

Selection criteria:

Ballots with direct action relevance for users
CA-internal changes with possible impact on users
Focus on TLS/SSL and S/MIME certificates

Sources:

CA/B Forum Official Website (cabforum.org) + Documentation on GitHub
SwissSign Team

CA/Browser Forum Updates

The most important deadlines at a glance

High relevance for certificate users

47-day turnaround for SSL/TLS, 10 days for domain validations

Client Authentication in SSL/TLS certificates no longer supported from 2026

Moderate relevance for certificate users

Certificate Authorities validate DNSSEC

Certificate Authorities will validate domains from multiple network locations from September 2025

Good to know for certificate users

EUID, the new internationally unique organisational identifier

Frequently Asked Questions (FAQ)

About this site

SwissSign

Ressources

Knowledge

Support

Navigate on SwissID

Main section

CA/Browser Forum Updates

The most important deadlines at a glance

High relevance for certificate users

47-day turnaround for SSL/TLS, 10 days for domain validations

Client Authentication in SSL/TLS certificates no longer supported from 2026

Moderate relevance for certificate users

Certificate Authorities validate DNSSEC

Certificate Authorities will validate domains from multiple network locations from September 2025

Good to know for certificate users

EUID, the new internationally unique organisational identifier

Frequently Asked Questions (FAQ)

What is the CA/B Forum?

Who needs to implement CA/B Forum Ballots?

How often are new ballots passed?

Where can I find the original ballot texts?

Why are German explanations important?

About this site

SwissSign

Ressources

Knowledge

Support