By 2029, public TLS certificates must renew every 47 days.
What's it going to cost you?

For most teams, the shift to 47-day lifetimes will mean renewing each certificate eight to nine times a year instead of once. The calculator below estimates the labor, downtime, and headcount that change implies for your environment, drawing on industry benchmarks. It takes about 90 seconds.

Calculate my exposure

What “47 days” actually feels like.

Each colored square you see is a renewal event. Today, you renew a certificate roughly twice a year. By March 2029, that becomes every 31 days. Any one of them, missed, means an outage.

Today · 200 days
2renewals/certificate/year
1 certificate· 365 days
JANAPRJULOCTDEC
By 2029 · 47 days
11renewals/certificates/year
1 certificate · 365 days
JANAPRJULOCTDEC

Assess your impact

  1. 01

    Renewal labor

    How big is your estate, and what does manual renewal cost?

    Step 1 of 3
  2. 02

    Outage risk

    What a missed renewal would cost your organization?

    Step 2 of 3
  3. 03

    Automation mix

    Tell us how much of your public certificate renewal you've automated so far, and how much your environment can't automate today.

    20%
    0%100%
    15%
    0%100%
    Advanced settings : team size, automation effort, success rates
    Factors that impact headcount
    Factors that impact revenue
    Step 3 of 3

Total annual exposure at the 47-day phase

Total annual renewal labor
$0
Manual renewal labor for 500 certificates once validity drops to 47 days, billed at your loaded engineer rate.
  • Renewals per yeari0
  • Engineer hours per yeari0
  • Headcount requiredi0.0 vs 2 staffed

Two paths from here.

What renewing by hand versus adopting automation looks like, on your estate.

Status quo path
$0

annual labor cost at 47-day · 0 hrs/year

Manual renewals0 hrs
Automated oversight0 hrs
0.0
FTEs needed at 47-day
Currently staffed: 2 FTEs
Recommended
With a CLM solution like Key Manager Plus
$0

annual labor cost at 47-day · 0 hrs/year

Manual renewals0 hrs
Automated oversight0 hrs
$0
saved per year · 0% of estate automated
0.0 effective FTEs vs 2 staffed

See what $0 in saved labor looks like.

See how Key Manager Plus handles ACME, integrated CAs, and continuous discovery. Bring your environment, and we’ll walk through what the 47-day cadence looks like for it.

Labor cost is only half the story.

At 0 renewals a year, even a 99.5% manual success rate adds up to ~0 preventable misses annually. Automation moves that error rate two orders of magnitude lower.

Outages avoided / yearat 47-day phase
~0

Lifting your automation coverage to the maximum your environment supports cuts expected misses from ~0 down to ~0 a year. That's a 0% reduction in outage exposure.

Today
0
Residual
0

Modeled on 99.5% manual vs 99.99% automated per-renewal success. Residual reflects certificates that can't be automated (HSMs, embedded, compliance).

Four moves to make the 47-day rule a non-event.

    We’ll do the inventory audit with you

    The first recommendation above (discover every certificate, every CA, every owner) is the one that most teams put off. Book a session with our certificate ops team and we’ll walk through your environment together.

    Book the 15-minute audit
    The receipts

    Show your work.

    Every number here comes from your inputs. Here's the math behind it.

    Renewals per year0Today's baseline
    Labor hours per year0 hrsToday's baseline
    Annual labor cost$0Today's baseline
    DCV reuse window0 daysDomain validation cache

    How the four phases stack up

    Total renewals per year
    Labor hours per year
    Annual labor cost