> browsers can and do set their own rules.
Here's a link to the minutes of the CABF meeting where the 25 certificate issuers and the 4 browser vendors—Apple, Google, Microsoft, Mozilla—agreed to reduce the validity period of TLS certificates unanimously [1].
> The reduction of TLS cert lifetime to a max of 398 days was an Apple policy.
Actually, all of the browser vendors voted to reduce the validity period of TLS certificates from 825 days to 398 days at the September 2019 meeting. The ballot failed because a majority of the certificate issuers voted against it.
At the February 2020 CABF meeting, Apple announced it would unilaterally enforce the 398-day limit through its own root program policy. Starting September 1, 2020, any new TLS certificate with a validity period exceeding 398 days would simply not be trusted by Safari, macOS, or iOS.
This effectively made the 398-day limit a de facto standard — no CA would issue longer certificates if they’d be rejected by Apple devices [2].
|Date |Max Certificate Validity|SAN Data Reuse Period|
|-----------------|------------------------|---------------------|
|Before March 2026|398 days (current) |398 days |
|March 15, 2026 |200 days |200 days |
|March 15, 2027 |100 days |100 days |
|March 15, 2028 |47 days |10 days |
|March 15, 2029 |47 days |10 days (final) |
[1]:
https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-sch...[2]: https://www.entrust.com/blog/2020/02/apple-announces-398-day...
