Why This Page Exists
PKI compliance is a moving target. Certificate validity periods are shrinking. Browser root stores have different rules. New CA/Browser Forum ballots pass regularly. Keeping up with it all is exhausting.
The Compliance Hub consolidates everything in one place: upcoming deadlines, current requirements, and browser-specific differences—all kept up-to-date so you don't have to read every mailing list and blog post.
PKI Compliance Alerts
Deadline reminders, standard changes, and practitioner insights. No spam.
The Countdown Timer
At the top of the page, you'll see a live countdown to the next major compliance deadline. This isn't just decoration—it's a reminder of how much time you have to prepare.
How to Use It
- Check the countdown when planning certificate renewals or infrastructure changes
- Share the page with your team before major deadlines (everyone sees the same timer)
- Click "View Full Timeline" to see what comes after the current deadline
The Search Bar
The sticky search bar filters both the quick reference cards and the timeline. It's the fastest way to find specific requirements.
Example Searches
Try searching for:
- "validity period"
- "key size"
- "revocation"
- "OCSP"
- "2048"
- "CT"
The search will show:
- Matching quick reference cards
- Matching timeline entries
- Both current rules and future changes
Quick Reference Cards
The collapsible cards contain the most frequently needed compliance information. Each card can be expanded or collapsed, and the search bar filters which cards are visible.
Certificate Validity Periods
Shows the current 398-day maximum and the upcoming reductions: 200 days / 199 effective (March 2026 (18 days away)), 100 days / 99 effective (March 2027), and 47 days / 46 effective (March 2029). Includes DCV reuse periods (198, 98, 8 days effective) which are often overlooked. Sectigo enforces Phase 1 starting March 12, 2026 — 3 days early.
Key & Algorithm Requirements
RSA must be 2048+ bits. ECDSA must use P-256, P-384, or P-521. SHA-256 or better for signatures. DSA, MD5, and SHA-1 are prohibited. Quick reference for CSR generation.
Revocation Requirements
24 hours for key compromise, 5 days for other issues. CRL update frequencies. OCSP response validity. Critical when you need to revoke a certificate urgently.
Domain Validation Methods
Lists all approved DCV methods from the TLS Baseline Requirements with their BR section references. Useful when setting up automated certificate issuance.
Certificate Profile - Subject Fields
Which fields are required, optional, or prohibited for DV, OV, and EV certificates. Note: OU field has been prohibited since September 2022.
Root Store Policy Differences
Critical comparison of Chrome, Mozilla, Apple, and Microsoft policies. Root stores can be MORE restrictive than CA/B Forum! Shows differences in CT requirements, revocation methods, and Entrust distrust status.
Pro Tip
The Root Store Differences card is often the most valuable. A certificate that works in Chrome might fail in Safari. Always test in multiple browsers, especially for enterprise deployments.
The Timeline
Below the quick reference cards, you'll find the full compliance timeline organized by year. Each entry shows the deadline date, title, description, and which authority mandated it.
Timeline Filters
- Source filter: Show only entries from CA/B Forum, Chrome, Mozilla, Apple, or Microsoft
- Category filter: Filter by Certificates, Validation, Revocation, or Algorithms
- Show past: Toggle to see deadlines that have already passed (useful for audits)
- Search: Find specific keywords across all timeline entries
Major deadlines are highlighted with a special badge. Click on any entry to see the full description and impact.
Document Versions & Links
At the bottom of the page, you'll find current versions of all relevant documents with direct links:
- CA/B Forum Documents: TLS Baseline Requirements, EV Guidelines, Code Signing BRs, S/MIME BRs, Network Security Requirements
- Root Store Policies: Direct links to Chrome, Mozilla, Apple, and Microsoft root program requirements
- Related RFCs: X.509, PKIX, OCSP, CRL, and CT specifications
How the Data Stays Current
The Compliance Hub pulls data from a live API that tracks CA/B Forum ballots, browser announcements, and policy changes. The page refreshes automatically every hour, and data is cached locally for offline access.
If you see a "Using cached data" warning, it means the live API is temporarily unavailable, but you're still seeing the most recently fetched data.
Practical Use Cases
1. Planning Certificate Infrastructure
Before designing a new PKI or certificate management system, check the timeline for upcoming validity changes. If you're building in 2025, design for 47-day certificates even if you start with 398-day ones.
2. Incident Response
When a key is compromised, check the Revocation Requirements card immediately. You have 24 hours from discovery to revoke. The card also shows CRL and OCSP update frequencies for your CA.
3. Vendor Evaluation
When evaluating a certificate vendor, use the Document Versions section to verify they're compliant with current Baseline Requirements. Ask about their automation support given the upcoming validity reductions.
4. Audit Preparation
Use the search and filters to generate a quick compliance checklist. The page is print-friendly—use your browser's print function to create a PDF for audit documentation.
5. Cross-Browser Compatibility
Before deploying certificates, check the Root Store Differences card. Especially important for enterprise deployments where users may be on different browsers and operating systems.
Quick Start Checklist
- Check the countdown — Know your next deadline
- Review validity periods — Plan for shorter certificate lifetimes
- Verify key requirements — RSA 2048+, ECDSA P-256+, SHA-256+
- Compare root stores — Don't assume all browsers behave the same
- Bookmark the page — Reference it before any certificate-related decision
Related Resources
Compliance data last updated: Loading...