Follow this page for useful information regarding upcoming and planned changes to TCS.
| Date | Description | Background Information | Action Required |
|---|---|---|---|
| September 2025 | Require domain validation and CAA checks to be performed from multiple Network Perspectives (MPIC) | MPIC requirements have been in place for some time but we would like to add an advisory that these new requirements can have a significant impact on certificates with a large number of SANS due to the time these checks can take. This is particularly relevant in ACME scenarios where the timeout set by a specific tool may not be compatible with the time needed to run checks. We advise that organisations look to minimise the number of SANs used within single certificates. | |
| 2nd March 2026 | End of all support for OCSP URLs | The end of life for OCSP and requirement for CRL for revocation information has been progressing for sometime, this date finalises the removal of this information from TCS certificates. | No specific action needed but be aware that specific certicate implementations may need to change their default settings in order to not run into errors. |
| 15th March 2026 | Certificate validity drops to 200 days | If your certificate is issued before the deadline, it can still have the current maximum validity (398 days max). However, any certificate issued on or after 15 March 2026 must follow the new 200-day rule – even if the renewal process started earlier. For Organisation Validation (OV) certificates, the reuse periods for domain and organisation validation are also shortening in line with the certificate lifetimes. That means even your validation data (like proof of domain control) must be refreshed more frequently, reinforcing the need for automation. | Be aware of the changing time limits and work with your organisations to support automation wherever possible. Be aware of further changes to the lifespan in upcoming years. |
| 15th March 2026 | Enforcement of DNSSEC | CAs complying with the TLS Baseline Requirements are required to validate DNSSEC, when present, in the course of retrieving CAA records or performing DCV-related DNS lookups from Primary Network Perspectives. | No specific action required, just be aware of the potential impacts if CAA records are not correctly set. |
| 6th April 2026 | End of Support for EKU | Public TLS certificates are intended solely for server authentication on the open Internet. If they also contain the ClientAuth EKU, they could be misused for purposes that public CAs cannot validate or govern (e.g., authenticating users into enterprise systems). This does not mean client authentication is going away — it means organisations must use private PKI, enterprise PKI services, or sector-specific solutions instead of public TLS certificates for mTLS. We recommend that TCS "IGTF Client Authentication Certificates" are used for this purpose. | It is like that use cases will emerge where these EKUs are being actively used and they may not become apparent untl something fails when support is removed. Be aware of this as a potential root cause. Some software might be using this as a default aproach - HARICA are aware of some issues with CISCO communication tools and Microsoft Teams. |