Baseline Requirements for TLS Server Certificates
Baseline Requirements
Current Version
CA-Browser-Forum TLS BR 2.2.8 (redlined) β adopted by Ballot SC098
Previous Versions
CA-Browser-Forum TLS BR 2.2.7 (redlined) β adopted by Ballot SC099
CA-Browser-Forum TLS BR 2.2.6 (redlined) β adopted by Ballot SC095
CA-Browser-Forum TLS BR 2.2.5 (redlined) β adopted by Ballot SC097
CA-Browser-Forum TLS BR 2.2.4 (redlined) β adopted by Ballot SC096
CA-Browser-Forum TLS BR 2.2.3 (redlined) β adopted by Ballot SC094
CA-Browser-Forum TLS BR 2.2.2 (redlined) β adopted by Ballot SC090
CA-Browser-Forum TLS BR 2.2.1 (redlined) β adopted by Ballot SC091
CA-Browser-Forum TLS BR 2.2.0 (redlined) β adopted by Ballot SC086v3
CA-Browser-Forum TLS BR 2.1.9 (redlined) β adopted by Ballot SC088v3
CA-Browser-Forum TLS BR 2.1.8 (redlined) β adopted by Ballot SC092
CA-Browser-Forum TLS BR 2.1.7 (redlined) β adopted by Ballot SC089
CA-Browser-Forum TLS BR 2.1.6 (redlined) β adopted by Ballot SC085v2
CA-Browser-Forum TLS BR 2.1.5 (redlined) β adopted by Ballot SC081v3
CA-Browser-Forum TLS BR 2.1.4 (redlined) β adopted by Ballot SC084
CA-Browser-Forum TLS BR 2.1.3 (redlined) β adopted by Ballot SC083
CA-Browser-Forum TLS BR 2.1.2 (redlined) β adopted by Ballot SC080
CA-Browser-Forum TLS BR 2.1.1 (redlined) β adopted by Ballot SC079
CA-Browser-Forum TLS BR 2.1.0 (redlined) β adopted by Ballot SC076
CA-Browser-Forum TLS BR 2.0.9 (redlined) β adopted by Ballot SC078
CA-Browser-Forum TLS BR 2.0.8 (redlined) β adopted by Ballot SC077
CA-Browser-Forum TLS BR 2.0.7 (redlined) β adopted by Ballot SC067
CA-Browser-Forum TLS BR 2.0.6 (redlined) β adopted by Ballot SC075
CA-Browser-Forum TLS BR 2.0.5 (redlined) β adopted by Ballot SC073
CA-Browser-Forum TLS BR 2.0.4 (redlined) β adopted by Ballot SC065
CA-Browser-Forum TLS BR 2.0.3 (redlined) β adopted by Ballot SC069
CA-Browser-Forum TLS BR 2.0.2 (redlined) β adopted by Ballot SC066
CA-Browser-Forum BR 2.0.1 (redlined) β adopted by Ballot SC063
CA-Browser-Forum BR 2.0.0 (redlined) β adopted by Ballot SC062
CA-Browser-Forum BR 1.8.7 (redlined) β adopted by Ballot SC061
CA-Browser-Forum BR 1.8.6 (redlined) β adopted by Ballot SC058
CA-Browser-Forum BR 1.8.5 (redlined) β adopted by Ballot SC056
CA-Browser-Forum BR 1.8.4 (redlined) β adopted by Ballot SC054
CA-Browser-Forum BR 1.8.3 (redlined) β adopted by Ballot SC051
CA-Browser-Forum BR 1.8.2 (redlined) β adopted by Ballot SC053
CA-Browser-Forum BR 1.8.1 (redlined) β adopted by Ballot SC050
CA-Browser-Forum BR 1.8.0 (redlined) β adopted by Ballot SC048
CA-Browser-Forum BR 1.7.9 (redlined) β adopted by Ballot SC047
CA-Browser-Forum BR 1.7.8 (redlined) β adopted by Ballot SC045
CA-Browser-Forum BR 1.7.7 (redlined) β adopted by Ballot SC046
CA-Browser-Forum BR 1.7.6 (redlined) β adopted by Ballot SC044
CA-Browser-Forum BR 1.7.5 (redlined) β adopted by Ballot SC042
CA-Browser-Forum BR 1.7.4 (redlined) β adopted by Ballot SC041
CA-Browser Forum BR 1.7.3 (redlined) β adopted by Ballots SC028 and SC035
CA-Browser Forum BR 1.7.2 (redlined) β adopted by Ballot SC033
CA-Browser Forum BR 1.7.1 (redlined) β adopted by Ballots SC030 and SC031
CA-Browser Forum BR 1.7.0 (redlined) β adopted by Ballot SC026
CA-Browser Forum BR 1.6.9 (redlined) β adopted by Ballot SC027
CA-Browser Forum BR 1.6.8 (redlined) β adopted by Ballot SC025
CA-Browser Forum BR 1.6.7 (redlined) β adopted by Ballots SC023, SC024
CA-Browser Forum BR 1.6.6 (redlined) β adopted by Ballots SC019
CA-Browser Forum BR 1.6.5 (redlined) β adopted by Ballots SC016
CA-Browser Forum BR 1.6.4 (redlined) β adopted by Ballots SC014, SC015, SC007
CA-Browser Forum BR 1.6.3 (redlined) β adopted by Ballot SC013
CA-Browser Forum BR 1.6.2 (redlined) β adopted by Ballot SC012
CA-Browser Forum BR 1.6.1 (redlined) β adopted by Ballot SC006
CA-Browser Forum BR 1.6.0 (redlined) β adopted by Ballot 224
CA-Browser Forum BR 1.5.9 (redlined) β adopted by Ballot 223
CA-Browser Forum BR 1.5.8 (redlined) β adopted by Ballot 219
CA-Browser Forum BR 1.5.7 β (redlined) β adopted by Ballot 220
CA-Browser Forum BR 1.5.6 β (redlined) β adopted by Ballot 218
CA-Browser Forum BR 1.5.5 β (redlined) β adopted by Ballot 217
CA-Browser Forum BR 1.5.4 β (redlined) β adopted by Ballot 215
CA-Browser Forum BR 1.5.3 β (redlined) β adopted by Ballot 214
CA-Browser Forum BR 1.5.2 β (redlined) β adopted by Ballot 190
CA-Browser Forum BR 1.5.1 β (redlined) β adopted by Ballot 197
CA-Browser Forum BR 1.5.0 β (redlined) β adopted by Ballot 212
CA-Browser Forum BR 1.4.9 β (redlined) β adopted by Ballot 204
CA-Browser Forum BR 1.4.8 β (redlined) β adopted by Ballot 199
CA-Browser Forum BR 1.4.7 β (redlined) β adopted by Ballot 196
CA-Browser Forum BR 1.4.6 β (redlined) β adopted by Ballot 195
CA-Browser Forum BR 1.4.5 β (redlined) β adopted by Ballot 189
CA-Browser Forum BR 1.4.4 β (redlined) β adopted by Ballot 193 on 17-March-2017
CA-Browser Forum BR 1.4.3 β (redlined) β adopted by Ballot 187 on 3-March-2017
CA-Browser Forum BR 1.4.2 β (redlined) β adopted by Ballot 181 on 1-January-2017
CA-Browser Forum BR 1.4.1 β (redlined) β adopted by Ballot 175 on 7 Sept. 2016
CA-Browser Forum BR 1.4.0 β (redlined) β adopted by Ballot 173 on 28 July 2016
CA-Browser Forum BR 1.3.9 β (redlined) β adopted by Ballot 174 on 29 August 2016
CA-Browser Forum BR 1.3.8 β (redlined) β adopted by Ballot 169 on 5 August 2016
CA-Browser Forum BR 1.3.7 β (redlined) β adopted by Ballot 164 on 8 July 2016
CA-Browser Forum BR 1.3.6 β (redlined) β adopted by Ballot 171 on 1 July 2016
CA-Browser Forum BR 1.3.5 β (redlined) β adopted by Ballot 168 on 10 May 2016
CA-Browser Forum BR 1.3.4 β (redlined) β adopted by Ballot 162 on 15 March 2016
CA-Browser Forum BR 1.3.3 β (redlined) β adopted by Ballot 160 on 4 February 2016
CA-Browser Forum BR 1.3.2 β (redlined) β adopted by Ballot 156 on 3 December 2015
CA-Browser Forum BR 1.3.1 β (redlined) β adopted by Ballot 151 on 28 September 2015
CA-Browser Forum BR 1.3.0 β adopted by Ballot 146 on 16 April 2015
Conversion Table for RFC-3647-formatted version 1.3.0 and later
Baseline Requirements 1.2.5 β (redlined) β adopted by Ballot 148 on 2 April 2015
Baseline Requirements 1.2.4 β (redlined) β adopted by Ballot 144 on 18 Feb 2015
Baseline Requirements 1.2.3 β (redlined) β adopted by Ballot 135 on 16 October 2014
Baseline Requirements 1.2.2 β (redlined) β adopted by Ballot 134 on 16 October 2014
Baseline Requirements 1.2.1 β (redlined) β adopted by Ballot 118 on 16 October 2014
Baseline Requirements 1.2.0 β (redlined) β adopted by Ballot 125 on 14 October 2014
Baseline Requirements 1.1.9 β (redlined) β adopted by Ballot 129 on 4 August 2014
Baseline Requirements 1.1.8 β (redlined) β adopted on 5 June 2014
Baseline Requirements 1.1.7 β (redlined) β effective 3 April 2014
Baseline Requirements 1.1.6 β (redlined) β effective 29 July, 2013
Baseline Requirements 1.1.5 β (redlined) β effective 31 May, 2013
Baseline Requirements 1.1.4 β (redlined) β effective 3 May, 2013
Baseline Requirements 1.1.3 β (redlined) β effective 21 February, 2013
Baseline Requirements 1.1 β effective 14 September, 2012
Baseline Requirements 1.1_ζ₯ζ¬θͺ訳 (translated into Japanese) Baseline Requirements 1 β adopted on 22 Nov. 2011 with an Effective Date of 1 July 2012
Public Discussion Drafts
Baseline Requirements Draft 50
Baseline Requirements Draft 35
v3.8 - Aug 5, 2024
Whatβs Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8
v1.0.14 - Ballot SMC016 - May 5, 2026
This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.