TLS Certificate Validity Requirements
This document describes the maximum validity period requirements for TLS server certificates used by the SAMO application server and related services. These requirements are critical for ensuring trusted HTTPS connections from all client applications, including LIDS Mobile for iOS and Android.
Background
The CA/Browser Forum (CA/B Forum), the industry body governing certificate authorities (CAs) and browser vendors, passed Ballot SC-081 in April 2025. This ballot mandates a phased reduction of the maximum TLS server certificate validity period. All major platform vendors — Apple, Google, Microsoft, and Mozilla — voted in favor.
Maximum Certificate Validity Timeline
| Effective Date | Max Certificate Validity | Max Domain Validation Reuse |
|---|---|---|
| Before 15. 3. 2026 | 398 days (approx. 13 months) | 398 days |
| 15. 3. 2026 | 200 days | 200 days |
| 15. 3. 2027 | 100 days | 100 days |
| 15. 3. 2029 | 47 days | 10 days |
:::warning Important Certificates issued after the effective date must not exceed the specified maximum validity. Certificates issued before the effective date remain valid until their expiration. :::
Impact on SAMO Platform
SAMO Application Server
The SAMO application server uses TLS certificates for securing HTTPS communication. When deploying or renewing certificates, ensure they comply with the current maximum validity limits.
LIDS Mobile for iOS
Apple enforces the maximum certificate validity for certificates issued by public, system-trusted CAs at the operating system level since September 2020. If the server certificate exceeds the allowed validity period for public trust, iOS will reject the TLS connection.
If the server certificate is not compliant, LIDS Mobile for iOS will not be able to connect to the server.
LIDS Mobile for Android
Android currently does not enforce a uniform maximum certificate validity at the OS level for native application connections. However:
- Public CAs are required to comply with the CA/B Forum rules and will not issue certificates exceeding the allowed validity.
- Google Chrome on Android enforces the Chromium certificate policies, so web-based access through Chrome will be affected.
Other Clients (LIDS Explorer, Web Browsers)
Major browsers (Chrome, Firefox, Edge, Safari) enforce public CA certificate lifetime limits for publicly trusted certificates. Certificates exceeding the maximum validity will be rejected by these browsers when issued by publicly trusted CAs.
Recommendations
Use Certificates from a Public CA
Public certificate authorities automatically comply with CA/B Forum rules. Using certificates from a public CA (e.g., Let's Encrypt, DigiCert, Sectigo) ensures compliance without manual tracking of validity limits.
Automate Certificate Renewal
With the maximum validity dropping to 47 days by 2029, manual certificate renewal becomes impractical. Implement automated certificate management using:
- ACME protocol — supported by Let's Encrypt (free) and most commercial CAs
- Certbot or similar ACME clients for automatic renewal
- Container orchestration tools (e.g., cert-manager for Kubernetes)
Internal / Self-Signed Certificates
If you use an internal CA or self-signed certificates (e.g., for development or isolated environments):
- Ensure that issued certificates comply with the same validity limits, especially if iOS clients are used.
- Apple enforces public CA validity limits for certificates issued by system-trusted roots. Self-signed or internally issued certificates may follow different rules depending on the trust store configuration.
- For development and testing environments where iOS is not used, longer validity periods may still work on Android and desktop clients, but this is not recommended.
Action Items
- Immediate — verify that your current publicly trusted server certificates have a validity period of 200 days or less (for certificates issued after 15. 3. 2026).
- Short-term — plan for automated certificate renewal to prepare for the 100-day limit (effective 15. 3. 2027).
- Medium-term — implement fully automated certificate lifecycle management (ACME) before the 47-day limit takes effect (15. 3. 2029).
References
- CA/Browser Forum Ballot SC-081 — official ballot text
- Apple's TLS certificate requirements — Apple's TLS certificate requirements