The public PKI ecosystem is entering a period of rapid transformation — and Certification Authorities must evolve with it. New policies, shorter lifetimes, and emerging cryptographic standards are redefining trust and compliance across the web.

This session delivers a comprehensive update on the latest requirements and challenges for CAs in 2025. We’ll cover the upcoming 47-day maximum TLS certificate validity and 10-day limit for domain validation reuse, as well as major policy shifts in the Chrome Root Program, including the removal of clientAuth EKU from TLS certificates and the deprecation of multi-purpose CA hierarchies.

We’ll also address the phase-out of OCSP by Let’s Encrypt, the ongoing importance of Certificate Transparency (CT), and the increasing need for automation and crypto agility in CA operations. Finally, we will explore the post-quantum cryptography (PQC) transition — what hybrid certificates mean for trust hierarchies, how to manage algorithm agility, and what steps CAs can take now to prepare for PQC-ready infrastructures.