The move toward shorter SSL/TLS certificate lifetimes—trending from 825 days to 398 days, and now discussions around ~200 days or less—is driven by a mix of security, automation, and ecosystem pressure. It’s not a random cutoff; it reflects how the modern web actually operates.
First, shorter validity limits the damage if a certificate is compromised. If an attacker gets hold of a private key, a long-lived certificate gives them a bigger window to exploit it. Reducing validity shrinks that window significantly. This aligns with broader security principles like minimizing exposure and assuming breaches can happen.
Second, the web has largely solved the “renewal burden” problem through automation. Tools and services from organizations like Let’s Encrypt made it normal to renew certificates every 90 days without human involvement. Because automation is now widespread, long lifetimes are no longer necessary for convenience. In fact, they’re increasingly seen as a liability.
Third, shorter lifetimes improve the reliability of certificate data. Information inside certificates—like domain ownership and organizational details—can become outdated. More frequent renewals ensure that certificates reflect current, verified information, which strengthens trust in the system as a whole.
Another key factor is the declining importance of revocation mechanisms. Historically, if a certificate was compromised, it could be revoked using CRLs or OCSP. In practice, revocation checking has been inconsistent and sometimes unreliable. By shortening certificate lifetimes, the industry reduces reliance on revocation altogether—expired certificates naturally “self-revoke” much faster.
There’s also pressure from browser vendors, particularly Apple and Google, which set policies through root programs and browser requirements. These companies have consistently pushed for shorter lifetimes as part of a broader effort to harden web security. Their influence is decisive because if a certificate doesn’t meet their requirements, browsers will simply reject it.
Finally, shorter lifetimes encourage better operational hygiene. Organizations are forced to adopt proper certificate management practices—like monitoring, automation, and key rotation—instead of treating SSL as a “set it and forget it” task done once every few years.
In short, the shift toward ~200-day (and even shorter) certificate validity is about reducing risk, embracing automation, and making the web’s trust infrastructure more resilient.