Main section

CA/Browser Forum Updates

The CA/B Forum continuously makes new decisions that adapt the Baseline Requirements for TLS/SSL certificates, S/MIME or Code Signing and more. These changes have a direct impact on Certificate Authorities and certificate users.

On this page you will find:

  • All relevant CA/B Forum decisions for the DACH region explained in an understandable way

  • Concrete recommendations for IT security managers

  • Timeline of the most important deadlines

  • Unique: Technical analysis in German, French and English

The most important deadlines at a glance

Deadline

Title

Affected are

July 2026

Reusable DNS validation planned for SwissSign certificates

TLS/SSL + S/MIME

15 March 2027

SwissSign: to be announced

Reduction of the maximum term to 100 days

SwissSign: 98 days

TLS/SSL Certificates

15 March 2027

SwissSign: Q1 2027

Purpose of use ‘Client Authentication’ no longer used for public TLS/SSL certificates

TLS/SSL Certificates

15 March 2029

SwissSign: to be announced

Reduction of the maximum running time to 47 days

SwissSign: 45 days

TLS/SSL Certificates

High relevance for certificate users

47-day turnaround for TLS/SSL, 10 days for domain validations

Ballot SC-094

Relevance for certificate users: ★★★★★ (5/5)

Affected users: All organisations with public TLS/SSL certificates

Affected certificate types: TLS/SSL (DV, OV, EV)

Implementation effort: ★★★★★ (5/5) – Automation is mandatory (ACME, REST API, CLM solution)

CA/B Forum status: Ballot SC-094 – Approved 4 April 2025. Phased implementation: 200 days (March 2026) → 100 days (March 2027) → 47 days (March 2029)

SwissSign status: Transition to daily validity from January 2026, reduction to 200 days 09 March 2026

Deadline for certificate users: 15 March 2026 (first reduction to 200 days)

Client Authentication in TLS/SSL certificates no longer supported from 2027

Google Chrome Root Program Policy

Relevance for certificate users: ★★★★☆ (4/5)

Affected users: Organisations using public TLS/SSL certificates for client authentication

Affected certificate types: Public TLS/SSL server certificates with Extended Key Usage ‘Client Authentication’

Implementation effort: ★★★☆☆ (3/5) – Use of private certificates or S/MIME

CA/B Forum status: Google Chrome Root Program Policy – Effective 15 March 2027

SwissSign status: Implementation for TLS/SSL certificates expected at the end of January 2027

Deadline for certificate users: 15 March 2027

Moderate relevance for certificate users

Certificate Authorities validate DNSSEC

Ballot SC-085v2 & SMC014

Relevance for certificate users: ★★☆☆☆ (2/5)

Affected users: Organisations with domains with DNSSEC-signed zones (TLS: CAA + DCV-Lookups, S/MIME: CAA-Lookups)

Affected certificate types: TLS (DV, OV, EV) and S/MIME certificates

Implementation effort: ★★☆☆☆ (2/5) – No effort if DNSSEC is already correctly configured; moderate effort for DNSSEC reconfiguration or correction

SwissSign status: Go-Live planned for early March 2026

Deadline for certificate users: If available: latest by 15 March 2026 Check DNSSEC configuration

Reusable DNS Validation

Ballot SC-088v3

Relevance for certificate users: ★★☆☆☆ (2/5) – rising to ★★★★☆ (4/5) by 2029

Affected users: Organisations with automated certificate issuance (MPKI, CLM platforms) – particularly relevant from 2029

Affected certificate types: All TLS/SSL and S/MIME certificates – each requires domain validation

Implementation effort: ★★☆☆☆ (2/5) – one-time DNS setup per domain, revalidation at least every 10 days (ready for 2029)

CA/B Forum status: SC-088v3 (Server Certificate) adopted 9 October 2025, effective 11 November 2025

SwissSign status: Go-live planned for summer 2026, revalidation every 8 days

Deadline for certificate users: None (optional method)

Links to ballots:

Certificate Authorities will validate domains from multiple network locations from September 2025

CA/B Forum Ballots SC-067 (TLS) & SMC-010 (S/MIME)

Relevance for certificate users: ★★★☆☆ (3/5)

Affected users: Organisations with restrictive firewall rules, geo-restricted DNS resolutions, or IP whitelists for validation servers

Affected certificate types: TLS/SSL certificates, S/MIME certificates (both for publicly trusted certificates)

Implementation effort: ★★☆☆☆ (2/5) – Low for most organisations; medium to high only for restrictive network configurations (firewalls, geo-blocking, IP whitelists)

Status CA/B Forum:

  • SC-067 (TLS): Adopted August 5, 2024, effective September 15, 2025

  • SMC-010 (S/MIME): Adopted December 22, 2024, Compliance Date May 15, 2025, Full Implementation September 15, 2025

  • Gradual increase: March 2026 (3 perspectives), June 2026 (4 perspectives), December 2026 (5 perspectives)

SwissSign status: Introduction in February 2025; gradual increase until December 2026

Deadline for certificate users: No adjustment required

Good to know for certificate users

EUID, the new internationally unique organisational identifier

Ballot SMC011

Relevance for certificate users: ★★☆☆☆ (2/5)

Affected users: German organisations with commercial register entry (ambiguous HR numbers), OV/EV certificates

Affected certificate types: OV and EV TLS/SSL, S/MIME with OrganisationIdentifier

Implementation effort: ★☆☆☆☆ (1/5) – No action required (automatic CA-side implementation)

Status CA/B Forum: Ballot SMC011 (S/MIME BR) – Adopted 31 March 2025, Effective 14 May 2025

Status SwissSign: Already implemented

Deadline for certificate users: None (CA-side change)

SwissSign Certificate Lifecycle Management

From shrinking validity periods to post-quantum migration, manual certificate management is reaching its limits. SwissSign's Certificate Lifecycle Management automates discovery, governance and renewal, with Swiss-European digital sovereignty built in.

  • Discovery, governance, automation across your entire certificate estate, any CA, any location

  • Swiss-hosted, sovereign PKI for regulated industries

  • Ready for shorter lifespans and crypto-agility without manual effort

Watch Demo Explore CLM Features

Frequently Asked Questions (FAQ)

The CA/Browser Forum is a voluntary organisation of Certificate Authorities (CAs) and browser manufacturers (e.g. Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari), which defines standards for publicly trusted TLS/SSL and S/MIME certificates as well as rules for Certificate Authorities that are recognised as trustworthy by browsers.

Certificate Authorities must meet the so-called Baseline Requirements to remain in browser root stores. Certificate users are indirectly affected when changes require new validation methods or certificate validity periods are reduced.

The CA/B Forum has passed 15-20 ballots per year over the past two years, most of which concern TLS/SSL certificates.

All official ballots are available on cabforum.org. SwissSign offers the most important ballots in German with practical recommendations for action.

The CA/B Forum documents are technically complex and only available in English. SwissSign not only translates the relevant changes, but also explains them in a practical way for IT security managers in the DACH region.

About this site

Objective: SwissSign documents all relevant CA/B Forum ballots that have an impact on certificate users in the DACH region. We focus on practical changes with concrete recommendations for action.

Selection criteria:

  • Ballots with direct action relevance for users

  • CA-internal changes with possible impact on users

  • Focus on TLS/SSL and S/MIME certificates

Sources:

  • CA/B Forum Official Website (cabforum.org) + Documentation on GitHub

  • SwissSign Team