47 days TLS / SSL & 10 days DV | SwissSign

Navigate on SwissID

A data security specialist by Swiss Post
Adrian Müller • 09.05.2025

47 days, 10 days – validity period for TLS / SSL certificates and domain validation significantly shortened

Context and next steps from SwissSign. The CA/Browser Forum has decided to gradually reduce the lifespan of SSL/TLS certificates and the validity period for domain verification, with far-reaching consequences for IT teams worldwide. Here's a brief summary of the situation and how we at SwissSign will continue to support you.

On 4 April 2025, the CA/Browser Forum made a far-reaching decision: the maximum lifespan of public TLS certificates will be gradually reduced to 47 days. Domains will have to be re-checked every 10 days - a major change for many companies that have so far managed their certificates on an annual cycle.

In this post, we summarise the current status, show the further development - and what SwissSign customers can expect in concrete terms.

Schedule for reducing the validity period

The members of the CA/Browser Forum have decided by a large majority to reduce the maximum validity period of publicly trusted TLS/SSL certificates to 47 days. The allowed period will be gradually reduced over several years:

  • As of 15 March 2026: maximum 200 days,

  • As of 15 March 2027: maximum 100 days,

  • As of 15 March 2029: maximum 47 days

At the same time, the deadlines for the reusability of domain validation information are significantly reduced. 

  • As of 15 March 2026, the maximum reusability will be reduced to 200 days, 

  • As of 15 March 2027: 100 days

  • As of 15 March 2029: 10 days 

Additionally, the validity of identity checks in the context of OV certificates is also restricted:

  • As of 15 March 2026, Subject Identity Information (SII) validations - such as organisation name, address and other identification features - can only be reused for 398 days (down from 825 days). These changes only affect OV certificates. DV certificates are not affected, as they do not contain SII. 

The CA/B Forum aims to minimise the risks of compromised or improperly issued certificates, speed up the widespread adoption of changes, increase the pressure for automation and adjust the certificate lifecycle more closely to best practices. The goal is to make the Web PKI more resilient - and to increase overall cybersecurity. 

Summary on the Register: New SSL/TLS certs to each live no longer than 47 days by 2029 

Background: CA/B-Forum Ballot Vote on GitHub

What is not affected

  • Your SwissSign Managed PKI still costs the same. The pricing model is independent of whether you get a certificate for your (web) address once or twelve times a year.

  • Internal (non-public) certificates (e.g. for internal servers, VPNs or devices): The regulation only applies to publicly trusted certificates.

  • Existing certificates: There is no retroactive effect on already issued certificates.

  • Code signing, S/MIME, document signatures: These are not part of the affected standard. Validity periods for S/MIME have already been shortened previously (read our blog post on this change).

Impact on your business or organisation

The consequences can vary depending on the setup and the level of maturity of the certificate management:

  • Manual processes (renewal via ticket, upload, manual installation) are no longer practical with 47-day certificates

  • Automation is therefore inevitable - for example, via the ACME protocol or API-based platforms, or using certificate management software, a Certificate Lifecycle Management (CLM) solution

  • Certification transparency and monitoring must be more closely coordinated (including warning and escalation mechanisms), also using CLM solution 

Those who have previously "tidied up" annually or semi-annually will have to switch to continuous orchestration in the future.

How SwissSign will adapt processes 

As an established Swiss CA, we continuously work on the development of our existing services, particularly in terms of:

  • Domain validation for our certificates

  • Certificate renewal processes within our Managed PKI

  • Cooperation with additional partners for even more automation options

What comes next 

We are currently preparing a detailed guide that will show you what type of automation is suitable for your business.

Get in touch

What we recommend - already now

Start the automation - it must be much faster next year than it is today! Start with the following basic questions:

  • Inventory: Which certificates are in use in your company where and for what purpose, and which of these are publicly trusted Internet certificates?

  • Process Review: How is the renewal process running today - manually, partially automated, fully automated?

  • If you still have individual certificates in use: Simplify your certificate management for Internet certificates (TLS / SSL and email): With our Managed PKI (MPKI), you can manage certificates for your employees, customers and partners independently and according to your needs and save compared to buying individual certificates. Order MPKI now

  • Technical preparation: Is a CLM solution already in use and what requirements are there for such a solution? Let us advise you on how you can optimise and prepare your PKI set up and what automation options beyond MPKI would be suitable for you. Contact us now

  • Planning for higher frequency: adjust monitoring, audits, alerting

If you learned something from our post, share it with others in your organisation, save the link for later or share it on LinkedIn 👇

To the overview

This might also interest you

Adrian Mueller • 07.04.2025

What is a Certificate Authority?

From secure websites and encrypted emails to digital signatures – every trusted digital identity relies on a Certificate Authority. Acting as the backbone of online trust, CAs verify, confirm, and safeguard identities across the internet, making them essential for secure communication in business, government, and everyday digital life.
Cyber Security Certificates
Adrian Mueller • 21.11.2024

PKI – what is public key infrastructure?

What is a public key infrastructure (PKI)? The basis of SSL certificates, digital signatures and more – for digital security and efficiency within companies
Cyber Security Certificates
Adrian Mueller • 28.04.2025

EUID: How Your Digital Certificates Become Even More Trustworthy – The New Globally Unique Organization Identifier

Digital certificates are not just technical data packages, they certify the identity of the certificate holder. SwissSign therefore offers the option of including an organisation as part of the identity within its certificate product portfolio.
Cyber Security Certificates

SwissSign

Ressources

Knowledge

Support

A data security specialist
by Swiss Post

The ‘Die Post’ logo takes you to the ‘Die Post’ website.