What is the CA/Browser Forum?
The consortium that decides how certificates work on the internet. Understanding who makes the rules and why.
The 30-Second Explanation
The CA/Browser Forum is a voluntary consortium where Certificate Authorities (the companies that issue certificates) and browser vendors (Chrome, Firefox, Safari, Edge) collaborate to create the rules governing publicly-trusted certificates.
Key point: When browsers announce certificate validity changes — like the phased reduction to 47 days by 2029 — those decisions come from the CA/Browser Forum.
The CA/Browser Forum is not a government agency — it's a voluntary industry collaboration with no legal enforcement power. It's also not a standards body like the IETF, though it frequently references IETF standards like TLS and X.509. Think of it as a rule-making body that creates Baseline Requirements all publicly-trusted CAs must follow to remain in browser root programs.
Not a government agency
Voluntary industry collaboration
Not a standards body
Though they reference IETF standards
More like a rule-making body
Creates Baseline Requirements CAs must follow
Who's at the Table
Certificate Authorities (Issuers)
Companies that issue publicly-trusted certificates:
- DigiCert, Sectigo, Let's Encrypt, GlobalSign
- Entrust, GoDaddy, SSL.com, and others
Must comply with forum rules to remain trusted. Have voting rights on ballots.
Browser Vendors (Consumers)
Applications that trust (or distrust) certificates:
- Google Chrome — Often drives aggressive timelines
- Mozilla Firefox — Strong security advocacy
- Apple Safari — Operates own root program
- Microsoft Edge — Follows Microsoft Root Program
The Power Dynamic
Browsers don't need forum permission to distrust a CA. The forum is where CAs negotiate reasonable timelines before browsers act unilaterally. This collaboration benefits everyone — CAs get predictable requirements, browsers get industry buy-in.
What They Produce
Baseline Requirements for TLS (BR)
The core rulebook for issuing SSL/TLS certificates
Dec 2025
Extended Validation Guidelines (EVG)
Additional requirements for EV certificates
May 2024
Code Signing Baseline Requirements
Rules for code signing certificates
Nov 2025
S/MIME Baseline Requirements
Rules for email signing/encryption certificates
Oct 2025
Network Security Requirements
Security controls CAs must implement
Jul 2025
All documents are publicly available at cabforum.org
How Changes Happen (The Ballot Process)
PROPOSAL
Anyone can propose a change, posted to public mailing list
DISCUSSION
7-day minimum discussion period with public comments and revisions
VOTING
7-day voting period — CAs and browsers vote separately
RESULTS
Requires majority of both groups; some ballots need 2/3 supermajority
EFFECTIVE
Usually 6-18 months after passage to give CAs time to implement
Ballot Naming Convention
Server Certificate Working Group (TLS certs)
Code Signing Working Group
S/MIME Working Group
Example: SC-081 introduced the phased reduction to 47-day certificate validity (passed April 2025).
2025 Changes
What this means for enterprise teams: These changes are already in effect. If you haven't updated your processes for MPIC, pre-issuance linting, or faster OCSP responses, you may already be relying on CAs that have adapted.
Major Upcoming Changes
What this means for enterprise teams: Shorter public TLS certificate validity means more frequent renewals. If you're managing certificates on load balancers, appliances, vendor-managed devices, or legacy systems that don't support automation, now is the time to plan your migration to ACME or equivalent API-based automation.
Why This Matters to You
If you're a certificate subscriber
- Shorter validity = more frequent renewals
- New validation requirements = process changes
- Deprecated methods = update your automation
If you manage certificates
- Watch for ballots affecting your certificate types
- Plan automation before validity reductions hit
- Understand that your CA has no choice — they must comply
If you're evaluating CAs
- All publicly-trusted CAs follow the same baseline rules
- Differentiation is in service, automation, and support
- A CA can't offer you a 3-year public TLS cert anymore
How to Stay Informed
Official Sources
- Public mailing lists
cabforum.org/about/email-lists/
- GitHub repository
Document drafts and discussions
- Meeting minutes
Published after each face-to-face meeting
Easier Options
- FixMyCert Compliance Hub
We track deadlines so you don't have to
- Root Causes Podcast
Tim Callan and Jason Soroko discuss industry news
- Your CA's communications
They'll warn you about changes affecting you
Common Misconceptions
"The CA/Browser Forum is a government body"
No — it's a voluntary industry consortium with no legal enforcement power.
"Browsers must follow CA/Browser Forum rules"
No — browsers can (and do) set stricter requirements in their own root programs. For example, Apple enforced a 398-day certificate limit before the CA/B Forum ballot passed, and Chrome has specific CT logging requirements beyond baseline.
"My CA can get me an exception"
No — CAs that violate Baseline Requirements risk distrust by browsers.
"These rules only affect public websites"
More precisely: these rules apply to publicly-trusted CAs, which typically issue certificates for public-facing endpoints. Internal/private CAs aren't bound by these rules, but many follow them as best practice.
"Changes happen overnight"
No — typical effective dates are 6-18 months after ballot passage, specifically to give the ecosystem time to adapt.
Related Resources
Compliance Hub
Track all CA/B Forum deadlines
DV/OV/EV Certificates
Validation levels defined by CA/B Forum
Certificate Lifecycle
Validity periods affect your renewal cycles
ACME Protocol
Automation becomes essential as validity shrinks
Certificate Transparency
CT logging required by CA/B Forum since 2018
CAA Records
CAA checking mandated by ballot SC-063
Track CA/B Forum Deadlines
Our Compliance Hub tracks all upcoming requirements so you never miss a deadline.
View Compliance Hub