Certificate Authority/Browser Forum (CA/Browser Forum)
Summary
- The CA/Browser Forum is a voluntary consortium of Certificate Authorities, browser vendors, and other PKI stakeholders that sets industry standards for digital certificate issuance and management.
- In April 2025, the CA/B Forum passed Ballot SC-081v3, reducing TLS certificate validity from 398 days to 47 days by March 2029.
- The Forum maintains four active working groups: Server Certificate WG, Code Signing Certificate WG, S/MIME Certificate WG, and Network Security WG.
- All publicly trusted Certificate Authorities must comply with BRs and undergo regular audits (WebTrust or ETSI) to maintain trust status.
- Organizations must adopt certificate lifecycle automation to manage the operational impact of shorter certificate validity periods.
What is the Certificate Authority/Browser Forum (CA/Browser Forum)?
The Certificate Authority/Browser Forum (commonly known as the CA/B Forum or CABF) is a voluntary consortium of Certificate Authorities (CAs), internet browser vendors, operating system providers, and other applications that rely on digital certificates. The Forum’s primary mission is to define industry standards and best practices for issuing and managing publicly trusted digital certificates, ultimately enhancing the security of internet communications for users worldwide.
Founded in 2005, the CA/B Forum emerged from the need for greater assurance in online transactions. The organization facilitates collaboration between certificate issuers (such as GlobalSign, IdenTrust, and Let’s Encrypt) and certificate consumers (including Google Chrome, Apple Safari, Mozilla Firefox, and Microsoft Edge) to establish uniform standards that protect users when connecting to websites, signing code, or encrypting email communications.
As of 2025, the Forum includes over 60 certificate issuers and 12 certificate consumer organizations, representing a global coalition dedicated to improving the Web PKI ecosystem. The Forum operates through specialized working groups, each focused on specific certificate types and security requirements.
The Structure and Governance of the CA/B Forum
The CA/B Forum operates as an unincorporated association governed by formal Bylaws first adopted in 2012. The governance structure ensures transparent decision-making while protecting intellectual property rights through a dedicated IPR Policy.
Membership Categories
The Forum recognizes several membership categories, each with specific qualifications and voting rights:
| Membership Type |
Qualifications |
Voting Rights |
| Certificate Issuers |
Must operate a CA with current WebTrust or ETSI EN 319 411 audit, actively issue certificates trusted by a Certificate Consumer Member |
Full voting rights in applicable Working Groups |
| Certificate Consumers |
Must produce software (browsers, email clients, OS) that uses certificates and is intended for general public use |
Full voting rights in applicable Working Groups |
| Interested Parties |
Any individual or organization with an interest in Forum activities |
May participate but cannot vote |
| Associate Members |
Organizations providing value to Forum work, as determined by members |
Defined per relationship agreement |
Working Groups
The CA/B Forum organizes its technical work through Chartered Working Groups (CWGs), each responsible for developing and maintaining specific sets of requirements:
- Server Certificate Working Group: Develops and maintains the TLS BRs governing SSL/TLS certificates used for website security.
- Code Signing Certificate Working Group: Establishes requirements for code signing certificates that verify software publisher identity.
- S/MIME Certificate Working Group: Defines standards for secure email certificates used to sign, verify, encrypt, and decrypt email communications.
- Network Security Working Group: Focuses on CA network security and system protection requirements.
What Does the CA/Browser Forum Do?
The CA/B Forum establishes technical standards and procedures that all public Certificate Authorities must follow to issue publicly trusted digital certificates. These standards, known as Baseline Requirements (BRs), ensure consistent security practices across the certificate ecosystem and provide relying parties (users, browsers, and applications) with confidence in the authenticity of certificates.
Core Functions of the CA/B Forum
The Forum’s activities encompass several critical areas:
- Standards Development: Creating and updating BRs for different certificate types.
- Balloting Process: Reviewing, debating, and voting on proposed changes to requirements.
- Audit Oversight: Defining audit criteria that CAs must satisfy to maintain public trust.
- Incident Response: Addressing security incidents and CA compliance failures.
- Future Planning: Preparing for emerging threats, including post-quantum cryptography.
Public CAs must undergo regular audits, either WebTrust for CAs or ETSI EN 319 411, to demonstrate compliance with BRs. Audit results are shared with browser root programs, and CAs must remediate any findings, often by revoking non-compliant certificates.
The Ballot Process: How Standards Evolve
The CA/B Forum uses a structured ballot process to propose, discuss, and approve changes to BRs. This democratic approach ensures all stakeholders have input while maintaining rigorous standards.
Ballot Lifecycle
- Proposal: A member drafts a ballot with specific changes to requirements.
- Discussion Period: Members debate the proposal, suggest modifications, and assess impact.
- Voting Period: Certificate Issuers and Certificate Consumers cast votes (typically 7 days).
- IPR Review: A 30-day intellectual property rights review period follows successful votes.
- Implementation: Changes take effect according to the specified effective dates.
Recent significant ballots include:
- SC-081v3: 47-day certificate validity schedule (passed April 2025).
- SC-085: DNSSEC validation requirements for DCV lookups (effective March 2026).
- SC-090: Sunset of email-based and phone-based validation methods.
- SMC013: Post-quantum cryptography algorithm specifications for S/MIME certificates.
BRs: The Foundation of Certificate Trust
BRs represent the minimum standards that publicly trusted CAs must meet. The CA/B Forum maintains separate BRs for different certificate types, each addressing the unique security considerations of its use case.
TLS/SSL Server Certificate BRs
The TLS BRs govern the issuance of certificates used to secure websites and authenticate servers. These requirements address:
- Domain Control Validation (DCV) methods for verifying domain ownership
- Organization validation procedures for OV and EV certificates
- Certificate content and profile requirements
- Maximum validity periods and data reuse limitations
- Revocation and certificate transparency requirements
Major 2024-2025 Updates: The Server Certificate Working Group has passed several significant ballots, including SC-067, which implements Multi-Perspective Issuance Corroboration (MPIC) for enhanced domain validation security, and SC-085, which requires DNSSEC validation for CAA record lookups, effective March 2026.
Code Signing Certificate BRs
The Code Signing BRs establish standards for certificates used to sign software, firmware, and scripts digitally. Effective June 2023, all code signing certificate private keys must be generated and stored in FIPS 140-2 Level 2 or Common Criteria EAL 4+ certified hardware security modules (HSMs).
Key requirements include:
- Subscriber identity verification before certificate issuance
- Private key protection in certified hardware modules
- Timestamping requirements for signature longevity
- Revocation procedures for compromised certificates
Organizations implementing secure code signing must ensure compliance with these requirements to maintain trust in their software distributions.
S/MIME Certificate BRs
In January 2023, the CA/B Forum adopted the first-ever industry-wide standards for publicly trusted S/MIME certificates. The S/MIME BRs define four validation levels:
| Validation Level |
Identity Verification |
Use Cases |
| Mailbox-validated |
Control of email address only |
Basic email signing and encryption |
| Organization-validated |
Email control + organization identity |
Enterprise email security |
| Sponsor-validated |
Sponsored by a verified organization |
Partner and contractor communications |
| Individual-validated |
Email control + individual identity |
Personal secure communications |
As of March 2025, CAs are required to retrieve and process CAA records for email addresses in accordance with RFC 9495 before issuing S/MIME certificates.
The 47-Day TLS Certificate Validity: A Transformative Change
On April 11, 2025, the CA/Browser Forum approved Ballot SC-081v3, initiating the most significant change to certificate management in recent history. The ballot, initially proposed by Apple, establishes a phased reduction of TLS certificate validity from 398 days to just 47 days by March 2029.
Implementation Timeline
The reduction follows a carefully planned schedule designed to give organizations time to adapt:
- March 15, 2026: Maximum validity reduces to 200 days
- March 15, 2027: Maximum validity reduces to 100 days
- March 15, 2029: Maximum validity reduces to 47 day
Alongside validity reductions, Domain Control Validation (DCV) reuse periods will also decrease:
- March 15, 2026: DCV reuse drops to 200 days
- March 15, 2027: DCV reuse drops to 100 days
- March 15, 2028: DCV reuse drops to 10 days
Why Shorter Certificate Validity?
The move toward shorter-lived certificates addresses several critical security and operational concerns:
- Improved Data Freshness: Information in certificates becomes less reliable over time; frequent revalidation helps ensure accuracy.
- Faster Threat Response: Shorter validity periods reduce the window during which a compromised certificate can be exploited.
- Revocation Limitations: Certificate revocation mechanisms (CRLs and OCSP) have proven unreliable, with browsers often ignoring revocation data.
- Automation Enablement: The CA/B Forum has signaled that automation is essential for effective certificate management.
- Crypto-Agility: Shorter validity facilitates rapid transition to new cryptographic algorithms when vulnerabilities are discovered.
Preparing for Post-Quantum Cryptography
The CA/B Forum is actively preparing for the transition to post-quantum cryptography (PQC). In August 2024, the U.S. National Institute of Standards and Technology (NIST) finalized three PQC standards:
- FIPS 203 (ML-KEM): Key encapsulation mechanism for general encryption
- FIPS 204 (ML-DSA): Lattice-based digital signature algorithm
- FIPS 205 (SLH-DSA): Stateless hash-based digital signature scheme
The S/MIME Working Group has already passed Ballot SMC013, which introduces specifications for the use of PQC algorithms in S/MIME certificates. Organizations should begin assessing their crypto-agility posture to prepare for these transitions.
NIST’s guidance indicates that quantum-safe signatures may not be commercially available in certificates until 2026, but organizations should start planning now. Solutions like AppViewX help organizations assess vulnerabilities and plan migration strategies. The AppViewX PQC readiness solutions help organizations assess vulnerabilities and plan migration strategies.
The Role of Automation in CA/B Forum Compliance
The CA/B Forum’s direction is clear: automation is no longer optional for enterprise certificate management. The ACME protocol (Automated Certificate Management Environment), standardized in RFC 8555, enables automated certificate issuance with validation typically completing in seconds.
However, ACME alone doesn’t address all certificate management challenges. Organizations need a comprehensive certificate lifecycle management (CLM) solution that provides:
- Complete Visibility: Discovery of all certificates across hybrid and multi-cloud environments.
- End-to-End Automation: Support for ACME, EST, SCEP, and native Windows auto-enrollment.
- Policy Enforcement: Governance controls to standardize certificate issuance and usage.
- CA-Agility: Ability to rapidly switch CAs in response to distrust events or compliance requirements.
- Crypto-Agility: Readiness for algorithm transitions, including PQC migration.
Compliance and Audit Requirements
CAs must demonstrate ongoing compliance with BRs through regular third-party audits. The Forum recognizes two primary audit frameworks:
Audit findings must be remediated, and certificate consumers (browsers) maintain the right to remove non-compliant CAs from their root trust stores. Organizations relying on private CAs should align with BRs as a best practice, even when not strictly required.
How CA/B Forum Decisions Impact Your Organization
CA/B Forum requirements affect any organization that uses publicly trusted digital certificates. Key areas of impact include:
- Website Security: TLS certificate validity changes require more frequent renewals.
- Software Development: Code signing requirements mandate HSM-protected keys.
- Email Security: S/MIME standards enable secure enterprise communications.
- Compliance: Industries with regulatory requirements must align with updated standards.
- Operational Planning: IT and security teams must prepare for increased certificate operations.
Getting Started with Certificate Lifecycle Automation
To prepare for CA/B Forum requirements and shorter certificate validity periods, organizations should:
- Assess Current State: Solutions like AppViewX offer free certificate discovery scans to identify all certificates in your environment.
- Evaluate Automation Maturity: Determine gaps in current certificate management processes.
- Plan for Crypto-Agility: Ensure systems can rapidly adapt to algorithm and CA changes.
- Implement CLM: Deploy enterprise certificate lifecycle management for visibility, automation, and control.
- Prepare for PQC: Begin post-quantum readiness assessment.
