The Beginning . . .

The CA Browser Forum has passed a ballot initiative, SC081v3, requiring all publicly issued digital certificates to have a maximum life of 47 days by March of 2029.  This has been discussed for years, and was even brought up for a vote previously and it was not passed.

Phased Approach

This will be a phased migration to the eventual status of 47 day certificates in March of 2029.

• March 15, 2026: Maximum TLS certificate lifespan shrinks to 200 days. This accommodates a six-month renewal cadence. The Domain Control Validation (DCV) reuse period reduces to 200 days.
• March 15, 2027: Maximum TLS certificate lifespan shrinks to 100 days. This accommodates a three-month renewal cadence. The DCV reuse period reduces to 100 days.
• March 15, 2029: Maximum TLS certificate lifespan shrinks to 47 days. This accommodates a one-month renewal cadence. The DCV reuse period reduces to 10 days

What We Know

The CA/B Forum met on 3/14/25  with a mention of SC081v3 entering voting period.  The CA/B Forum met again on 4/14/25.  No minutes from the 4/14/25 meeting have been published as of the date of this Blog post.  On 3/4/25 I attended KeyFactor TechDays in Miami, organized by KeyFactor (a leader in Digital Trust) where the Chair of the CA/B Forum, Dimitris Zacharopoulos​, was in attendance and  presented.  He indicated that the passage of this ballot measure (SC081v3) was a certainty.  As indicated above, and documented here, SC081v3 has passed.  A post on the Google Forum CA/B page indicates that the ballot did pass and that the initiative is now under Intellectual Property Review (IP) within the CA/B Forum. We will add a comment to the Blog with a link when the CA/B Forum announces full approval of the ballot.

What Next?

There are many articles, posts, blogs, and other references on this topic across the internet.   The majority of them, including the information from both Sectigo and DigiCert, discuss this ballot initiative was started to increase security and to better prepare customers and Enterprises for the movement to a Post Quantum Computing (PQC) state of readiness.

What is clear is that automated Digital Certificate LifeCycle Management (DCLM) is going to be required for the management of Digital Certificates.  It will no longer be optional.

Our Opinion – What is Lacking with DCLM?

There are several good and some not so good DCLM software systems available.  We have worked with the good and not so good.

We believe that while the better automated DCLM’s are good, they are not yet where they need to be to handle 47 day certificate life spans.  The DCLM products will need to continue to mature.

What is required is that the DCLM’s need to be fully automated.  The current state of the art is that the better DCLM’s are good at inventory, certificate monitoring, and notifcation of upcoming certificate expiration events.  However, their ability to renew/replace certificates in a fully automated manner is not complete.

Many DCLM’s can handle renewals for basic webservers (e.g. MicroSoft IIs).  The real problem is that many customers utilize non-standard systems/applications in their Enterprise.   Those that utilize private key stores (e,g. Java Keystores and other unique applications) are not fully developed in most of the DCLM systems, and in many instances require custom development.   These DCLM systems need to mature and do so quickly or Enterprises will be looking at outages in the next 4 years.  There is at least one DCLM system that handles Java Keystores and many other custom environments, KeyFactor CMD.

Opinions on DCLM – What do you Think?

Leave your thoughts, opninions, and comments below.   Look forward to an interactive conversation.