PKIcompliance calendarCA/Browser Forum

    2026–2027 Trust & Compliance Calendar

    Track upcoming industry mandates, certificate lifecycle reductions (including the 47-day TLS shift), and root policy changes from Google and Apple. Stay ahead of PKI compliance.

    Schutz IT 28 March 2026 5 min read

    Stay Ahead of the Cryptographic Breaking Point

    Industry mandates are evolving rapidly. Public certificate lifecycles are compressing toward 47 days, CA/Browser Forum rules are tightening, and legacy trust roots are being deprecated. Instead of tracking updates across a fragmented ecosystem, use this consolidated roadmap to plan your infrastructure automation, avoid outages, and maintain zero-trust compliance ahead of enforcement dates.

    1. CA/B Forum

      Public TLS Validity Drops to 199 Days

      The CA/Browser Forum enforces shorter lifespans. Domain validation and organization validation reuse periods also shrink to 199 and 397 days respectively. Continuous automation (ACME) becomes critical for public-facing assets.

    2. Code Signing

      Code Signing Validity Drops to 459 Days

      Public code signing certificates enforce stricter lifecycles. Organizations must pivot toward automated software trust managers and secure CI/CD pipeline signing.

    3. Root Programs

      Chrome & Mozilla G1 Root Deprecation

      Google Chrome and Mozilla enforce the removal of public G1 root certificates. Enterprise environments must ensure all endpoints and load balancers have migrated to updated Root hierarchies.

    4. Transparency

      Mandatory CT Logging & Strict MPIC Enforcement

      Chrome mandates Certificate Transparency (CT) logging for all public TLS. Additionally, Multi-Perspective Issuance Corroboration (MPIC) enforces validation from up to 4 remote perspectives to prevent localized DNS hijacking.

    5. EKU Policy

      ClientAuth EKU Removal from Public TLS

      The end of dual-EKU TLS. Client Authentication will be stripped from public TLS certificates, forcing financial and enterprise sectors to transition to dedicated Private PKI/mTLS architectures for device and user authentication.

    6. Pending / TBDHorizon

      The 99-Day and 47-Day Public TLS Mandate

      The ultimate goal of the CA/B Forum and major browsers. Manual certificate tracking via spreadsheets will become mathematically impossible without triggering enterprise-wide outages.

    Ready to Automate Your Trust Lifecycle?

    Do not wait for a mandate to break your infrastructure. Transition from manual tracking to Platform Lifecycle Governance today.

    Talk to a PKI architect →

    Keep reading

    AiTM Phishing: Why Your MFA Is No Longer Enough

    Adversary-in-the-Middle (AiTM) attacks are bypassing traditional MFA at scale. Learn how these attacks work and why phishing-resistant MFA is essential.

    Read article →

    EU 2026 IVI Mandate: Digital Vehicle Certs

    Prepare for the EU's July 2026 mandate replacing the paper Certificate of Conformity (CoC) with Initial Vehicle Information (IVI) XML files secured by QSealC.

    Read article →