topic Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days in General Topics

DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

spottex — Mon, 17 Nov 2025 02:00:39 GMT

Hi There.

I have tried TAC, DigiCert administrators within the company, and not yet got a response from DigiCert themselves through the public "Contact Us" details.

Will the new Digicert TLS Certificate Lifetimes reduction to 47 Days affect IPSec VPNs. I personally don't think it will but nned confirmation.

I get Yes, No, and not sure responses.
Is there anyone that has a direct contact with DigiCert able to get a qualified answer from DigiCert?

If it does affect IPSEC PVNS it will be an administrative nightmare since I highly doubt you will be able to automate it.

I really need a 100% confident response and not a 'should' or 'probably'

TAC first response:

Yes, the DigiCert change in certificate validity can affect Check Point IPsec VPNs if you use DigiCert-issued certificates for VPN authentication (Site-to-Site or Remote Access VPN). The impact is that certificates will expire much more frequently, requiring more frequent renewal and management.

My Update to the TAC case, From CP Support AI:

Authentication Methods in Check Point IPSec VPN
Check Point IPSec VPN does not use TLS certificates for VPN tunnel authentication. Instead, it relies on the following standard authentication methods for IKE (Internet Key Exchange):
1. PKI Certificates (Recommended)
Type: X.509 certificates issued by a Certificate Authority (CA).
How Used: Check Point strongly recommends using PKI-based authentication for IKE. This means each gateway or client uses a certificate to prove its identity.
Internal CA: When gateways are managed by the same Check Point management server, the Internal Certificate Authority (ICA) automatically issues certificates for VPN authentication.
Benefits: Strong security, scalable, and easier to manage in large environments.
Summary Table
Authentication Method: PKI (X.509) Used for IPSec VPN:Yes Certificate Type: ICA or external Typical Use Case: Site-to-site, remote access
Authentication Method: TLS Certificate Used for IPSec VPN:No Certificate Type:N/A Typical Use Case: Not used for IPSec VPN tunnels

TAC Second Response:

IPSEC VPN utilizes PKI (x.509) format certificates for authentication, which are distinct from TLS certificates. However, to ensure there are no issues related to certificate validity,

we recommend confirming with DigiCert whether the certificate you are using for IPSEC VPN is impacted by their recent changes to TLS certificate lifetimes

DigiCert Administrators from internal say yes it will but provide me with a exert cut from the DigiCert link:

If it’s a public facing cert from DigiCert or any other cert vendor, the following applies:

As of March 15, 2026: The lifetime SHOULD not exceed 199 days and MUST not exceed 200 days.
As of March 15, 2027: The lifetime SHOULD not exceed 99 days and MUST not exceed 100 days.
As of March 15, 2029: The lifetime SHOULD not exceed 46 days and MUST not exceed 47 days.

https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

PhoneBoy — Mon, 17 Nov 2025 15:58:43 GMT

DigiCert themselves would have to confirm whether or not the change applies to TLS certificates only or whether it also applies to IPSec VPN certificates.

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

the_rock — Mon, 17 Nov 2025 16:39:49 GMT

Honestly, I would have given you EXACT same response TAC did. Thats something Digicert needs to confirm.

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

spottex — Mon, 17 Nov 2025 20:43:56 GMT

Yes but TAC contradicted itself, First response Yes, which they would have asked to close the case at that point until I provided the AI output. Then the second response was NO.
I have not got a response yet from DigiCert for approx 2 weeks

I was hoping someone on here could get a response from DigiCert, like they did with the previous DigiCert change.
The previous DigiCert change was announced on this forum. i.e.

IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2025

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Bob_Zimmerman — Mon, 17 Nov 2025 20:52:07 GMT

The change applies to all TLS certificates issued by any public certificate authority. There are four stages.

From today until 2026-03-15, the maximum lifetime for a TLS certificate is 398 days (365 plus buffer)
From 2026-03-15 through 2027-03-15, the maximum lifetime is 200 days (180 plus buffer)
From 2027-03-15 through 2029-03-15, the maximum lifetime is 100 days (90 plus buffer)
After 2029-03-15, the maximum lifetime for TLS certificates will be limited to 47 days (45 plus buffer)

On top of this, the maximum validity period of domain ownership validation will drop to ten days on 2029-03-15.

This schedule has been set by the CA/Browser Forum, and was originally proposed by Apple with Google and Mozilla quickly concurring. Longer certificates are still technically possible, they just won't be trusted by browsers. If you're already using certificate pinning or you're already clicking through a "This certificate is expired/self-signed/whatever!" warning, nothing changes for you.

If you use certificates issued by a public CA for IPSec VPNs, these certificates will be affected. For site-to-site VPNs, this is an extremely rare configuration. After years handling VPN issues in the TAC, I'm pretty sure I can count the number of times I've seen it on one finger. It's fairly common for remote access, though (Mobile Access, SNX, etc.).

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

the_rock — Mon, 17 Nov 2025 20:54:17 GMT

If I were you, I would check with your local SE about it and see if they can get an absolute confirmation, so there is no ambiguity.

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

spottex — Mon, 17 Nov 2025 22:11:01 GMT

Surprisingly (as I did not think I would get one) I did get a response from DigiCert today.

"Kindly note that the reduction of the certificate lifecycle to 47 days affects all environments with no exceptions. This change was mandated by the CA/Browser Forum."

My thoughts now, that obviously can't be answered yet...
Will there be an exception announced in the future, will other Certificate Authorities follow suit.
More importantly will Check Point and other FW vendors respond with software changes. I don't see it being anytime soon, but they do have time.

As I mentioned the administrative overhead for cert updates can be extensive if the VPN connections are high priority. Especially if the single cert is used on multiple VPNs. We have to organize, the admins for the peer(s), Apps testers, and business outages just in case. This can take weeks to sync schedules.

Cisco have announced they will be removing pre-shared key from being used in IPSec VPN's forcing certificates. Which also could spread to other vendors.

retirement date calculator - sorry that was meant for google search.

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

the_rock — Mon, 17 Nov 2025 22:13:29 GMT

I had not see any announcement from any other fw vendor for PSK, but lets see.

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

the_rock — Mon, 17 Nov 2025 23:05:36 GMT

FWIW, this is AI answer.

*********************************

Below is the most accurate industry-reality check I can give you right now, based on how PKI, browsers, and VPN vendors actually work, and what the 47-day change really affects.

✅ **1. The 47-day Limit Does NOT Apply to IPSec VPN Certificates (Today)**

Even though DigiCert said “no exceptions, applies to all environments”, that answer is technically correct only for certificates issued under the CA/Browser Forum rules (i.e., public TLS server certificates).

✔ CA/B Forum rules apply to public, browser-trusted certificates.

✘ They do not apply to:

IPSec / IKE certificates
Internal PKI
Machine identity certificates
S/MIME certs
Private trust roots
Most non-HTTP certificate use cases

IPSec VPN certificates are not governed by CA/B Forum rules unless you are doing something very unusual—like using a publicly-trusted certificate from DigiCert for IKE authentication, which almost no enterprises do.

This is why you’re hearing contradictory answers:
Support reps answer literally (“all environments”), but the CA rules do not apply to non-browser use cases.

✅ 2. Will there be exceptions in the future?

Most likely no, because IPSec VPNs are not in scope to begin with.

Vendors like DigiCert follow:

CA/B Forum Baseline Requirements → for public TLS
Their own PKI policies → for private PKI, code signing, device identity, VPN usage

The 47-day limit is only for public TLS certificates.
VPN certs generally come from:

Your internal CA, or
A private intermediate issued by DigiCert, Sectigo, Entrust (private hierarchies are not subject to the 47-day rule)

Those can still have:

1-year,
2-year,
or even 5-10 year validity depending on your policy.

✅ 3. Will other certificate authorities follow the 47-day rule?

For publicly-trusted TLS?
Yes, 100%—they have no choice. The CA/B Forum mandated it.

For IPSec VPN certificates?
No. They are outside the scope.

✅ 4. Will Check Point, Cisco, Palo Alto, Fortinet etc. need to modify IPSec VPN certificate handling?

Not for this rule.

Why? Because none of them require or expect:

47-day public certs
public CA-issued certs for IKE

They all expect:

Internal CA or
Private PKI hierarchy with long validity certificates

Check Point specifically:

Check Point’s documentation explicitly says:

Use internal CA or private CA for VPN certificate enrollment.

Public CAs are barely mentioned outside HTTPS inspection.

❗ **5. What will require major vendor changes?**

✔ Cisco’s announcement about removing pre-shared keys

This is a completely separate initiative (cryptographic hardening).

Cisco is pushing:

IKEv2 only
Certificate-based authentication only
No PSK (eventually)

If others follow—and they likely will over the long term—this increases:

certificate management effort
PKI dependencies
automation requirements

But this still does NOT require short-lived certificates.

Vendors expect:

1–3 year certificates
automated enrollment via SCEP / EST / CMP
internal CA

❗ 6. Why DigiCert told you “47 days affects all environments”

Because:

Their support reps answer according to the public TLS policies, not the technical PKI context.
Many customers mistakenly use public TLS certs for non-browser purposes, so support gives a safe universal answer.
The internal/private CA products are not being forced to 47-day validity.

💡 7. Your concern about operational overhead is valid

You wrote:

"If the single cert is used on multiple VPNs… admins, peer admins, testers, business outages… takes weeks"

Yes—certificate-based IKE authentication is operationally painful unless you automate it.

The only realistic long-term solution is:

Automated enrollment (SCEP, EST, CMPv2)
Automated push to both VPN peers
Automated rekeying
Avoiding public CAs entirely for IKE

Check Point already supports:

SCEP (somewhat clunky)
LetsEncrypt via CPAC is for HTTP only, not IKE
Internal CA with long validity

They do NOT expect you to rotate IKE certs every 47 days.

⭐ Bottom Line

**The 47-day certificate lifetime does not apply to IPSec VPN certificates.**

You can safely use:

Internal CA
Private DigiCert CA
1–3 year validity certs

No firewall vendor currently intends to enforce 47-day IPSec certificate renewals.

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

spottex — Tue, 18 Nov 2025 01:06:19 GMT

The more I read the less likely we will be able to avoid this change as a Check Point administrator.
This is going to be industry wide. If you have a policy to use Public PKI's.

If your environment supports private PKI's and policy allows these to be used in VPNs then you will have an alternative.,

Extra info: This is an extract from a Digicert PDF:

Q: How are non-browser clients
(like network devices) affected?
The public TLS certificate market overwhelmingly supports
browser-facing certificates installed on a web server of some
kind, but there are others. VPN gateways and some IoT
devices are good examples of these.
These devices will also have to increase their CLM cadence.
Many of them support ACME or some other automation
protocol directly, so changing parameters may not be a major
task. In other cases, there may be support for an alternative
automation mechanism or none at all, in which case the user
has some programming to do in order to automate.

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

the_rock — Tue, 18 Nov 2025 01:15:06 GMT

Lets see...there might be another official statement about it.

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

PhoneBoy — Wed, 19 Nov 2025 00:44:06 GMT

Check Point has restricted the use of PSKs to static IP endpoints for as long as I can remember, FWIW.

As the deadline approaches, I suspect we will make changes to make this process easier.

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Bob_Zimmerman — Wed, 19 Nov 2025 23:09:29 GMT

This will definitely affect inbound (WAF-style) HTTPS Inspection.

It will affect certificates presented by Mobile Access, SNX, and so on.

It might affect the certificates used for access to the web UI of the firewalls, web SmartConsole, SmartView, and so on. These are often self-signed, which would not be affected at all. Certificates signed by a CA would need to have shorter lifespans to be trusted by browsers.

It will not affect the certificate authority used for client-to-random-website HTTPS Inspection. The internal certificates generated by the feature will need shorter lifespans, otherwise client browsers won't trust them, but those are generated automatically anyway.

It will not affect site-to-site VPNs using shared secrets.

It will not affect site-to-site VPNs using certificates signed by the ICA.

It will not affect SIC certificates.

If you're doing site-to-site VPNs with certificates signed by a public CA, I'd love to hear more about it.

Those are the only things I can think of offhand which can interact with certificates, public CAs, or browsers (which is where the change is actually being made).

topic Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days in General Topics

DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

✅ 1. The 47-day Limit Does NOT Apply to IPSec VPN Certificates (Today)

✔ CA/B Forum rules apply to public, browser-trusted certificates.

✘ They do not apply to:

✅ 2. Will there be exceptions in the future?

✅ 3. Will other certificate authorities follow the 47-day rule?

✅ 4. Will Check Point, Cisco, Palo Alto, Fortinet etc. need to modify IPSec VPN certificate handling?

Check Point specifically:

❗ 5. What will require major vendor changes?

✔ Cisco’s announcement about removing pre-shared keys

❗ 6. Why DigiCert told you “47 days affects all environments”

💡 7. Your concern about operational overhead is valid

The only realistic long-term solution is:

⭐ Bottom Line

The 47-day certificate lifetime does not apply to IPSec VPN certificates.

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

Re: DigiCert TLS Certificate Lifetimes Will Officially Reduce to 47 Days

✅ **1. The 47-day Limit Does NOT Apply to IPSec VPN Certificates (Today)**

❗ **5. What will require major vendor changes?**

**The 47-day certificate lifetime does not apply to IPSec VPN certificates.**