First Google, now Apple: Why should the validity period of SSL certificates be shortened?

Google wants to shorten the validity period of websites’ digital certificates to 90 days. Apple has now followed suit, proposing a gradual reduction to 45 days in the future. This change affects all companies that secure their communications with digital certificates. But what is driving this push—and how can companies respond to the shortened validity?

Background

The validity period of digital certificates has been continuously reduced for years. Until 2015, certificates were still issued with validity periods of up to five years; the maximum validity was then initially limited to three years and finally to two years in 2018. Since autumn 2020, SSL/TLS certificates have been issued with a validity period of 398 days, i.e., around 13 months. The underlying idea: shorter validity periods are intended to increase their reliability and to take account of growing computing power—and the associated increased risk of encryption being broken.

SSL certificates and S/MIME certificates are used to establish secure TLS connections with a network endpoint, to uniquely identify the sender of an email, or to send the content of an email in encrypted form. They can also be used to verify the authenticity of an endpoint, for example to detect man-in-the-middle attacks. The validity of an SSL certificate that is presented depends, among other things, on whether it was issued by a generally recognized certificate authority or by an intermediate authority signed by it. Top-level certificate authorities are also known as Root CAs and serve as trust anchors when validating SSL certificates.

In early 2023, Google—acting as the primary developer of the Chromium3 web browser engine and the Chromium OS operating system—published a proposal for the future development of the public SSL certificate infrastructure. The significance of this proposal is underscored by the fact that Google is also the administrator of the Chrome Root Store. For almost 70% of all smartphones and 66% of web browser users, it determines which certificate authorities are recognized as trustworthy and valid. This market share inevitably means that Google could turn the Chromium project’s requirements into a de facto standard.

The proposed changes to the Chrome Root Store policies were published under the title “Moving Forward, Together”. A number of fundamental objectives are cited as reasons for the adjustments:

• Promoting modern and agile infrastructures
• Establishing simple concepts
• Comprehensive automation
• Fewer incorrectly issued certificates
• Overall strengthening of the integrity of the ecosystem
• Standardized and optimized domain validation procedures
• Preparing for a “post-quantum” world

After Google moved away from its originally communicated goal of enforcing the shortened validity period as early as 2024, Apple made a parallel move in October 2024—aiming to reduce certificate lifetimes as well. In a draft ballot proposal published on GitHub, known as Ballot SC-081, Apple presents the timeline for reducing certificate validity periods. Starting on September 15, 2025, the validity period is to be reduced step by step from the current 398 days to 45 days in the future.

The issue of quantum computers

So why are two global players pushing so strongly for shorter SSL certificate validity periods? The answer is multifaceted, but it is worth looking into the crystal ball—toward a “post-quantum” world. For the IT landscape in general, the development of quantum computers holds great potential, as they could overcome some computing-time-related hurdles for well-known problems in mathematics and physics. At the same time, however, this also poses certain risks for cryptography, for example, because the algorithms used there are mostly based on the assumption that the associated mathematical problem is extremely difficult for an external attacker to solve.

In the future, quantum computers could be able to solve problems such as prime factorization or the discrete logarithm problem—on which many cryptographic algorithms are based—much faster than classical computers. In particular, Shor’s algorithm, which runs exclusively on quantum computers, could, as the capacity of these machines increases, jeopardize modern asymmetric encryption methods such as RSA and Elliptic Curve Cryptography (ECC).

While classical computers require many sequential computation steps, quantum computers could solve these tasks far more efficiently thanks to their ability to process many states simultaneously. This would enable attackers to break commonly used encryption methods and decrypt sensitive data.

What improvements are Google and Apple hoping for?

Implementing the policy adjustments originally proposed by Google’s Chromium project would significantly increase the agility of the ecosystem surrounding public SSL certificates. This is due in particular to comprehensive automation of ordering and renewal processes, as well as reliable update strategies for root certificate lists in operating systems and applications. As a result, certificate rotation would increasingly become routine instead of a critical, long-term planned change—regardless of whether it concerns a root certificate, a CA intermediate certificate, or a simple TLS endpoint certificate.

Another reason to push these adjustments forward is the aforementioned ongoing development of quantum computers. While these do not yet pose a significant threat to common key lengths, an increasing number of qubits and falling error rates could make it possible to crack algorithms such as RSA and ECDSA with 2048 and 256 bits, respectively, using Shor’s algorithm.

Automated certificate management is becoming a stronger focus

For operators of IT systems, the most obvious impact is how they will manage digital certificates with shorter validity periods. Google itself notes this in its rationale for reducing the validity period: companies that provide a TLS endpoint cannot avoid automating digital certificate lifecycles on a large scale.

If the validity period is shortened to 90 days, companies would have to have the relevant certificates reissued and installed four times as often per year. Even if annual certificate costs remain the same—by adjusting the cost of a single certificate, subscription models, or other adaptations—the resulting management and administrative effort quadruples, along with the associated staffing costs. It goes without saying what Apple’s proposal to halve the lifetime again to 45 days would mean.

Alongside technical provisioning, fully automated renewal therefore also increases the need for a well-coordinated management process. Previously, each manual renewal at least implicitly confirmed that the certificate was still needed. In an automated process, potentially obsolete systems may only become noticeable in the aggregate through a high final bill.

CAs such as DigiCert and Sectigo are addressing this challenge with web-based portals that provide better oversight and are intended to simplify certificate management itself. However, a core aspect of these solutions is merely the delegation of responsibilities. Whether a certificate is still needed and what role it plays in the context of the company’s digital presence must still be known by the responsible internal entity or verified manually.

LEMARIT is actively working on integrating these management solutions into the world of LEMARIT.app in order to present the relevance and use of a certificate clearly in a domain context. Automated certificate management includes, among other things, seamless linking between DNS records and the corresponding certificates in the form of direct links, validity checks when DNS changes occur, and notices about certificates that are no longer in use.