Everything you need to know about the new 47-day certificate lifespan

In August 2024, Apple made a proposal (CA/Browser Forum Ballot SC-081v3) to drastically shorten the lifespan of certificates. This move was endorsed by major web browser makers and certificate authorities. After months of discussions, the move is now official. The CA/Browser Forum unanimously voted to bring down the certificate lifespan from 398 days to 47 days by 2029, with significant changes starting from March 2026.

Key highlights of this announcement

The move intends to strengthen the WebPKI system by significantly reducing the validity of all certificates issued by public certificate authorities and encouraging the adoption of automation in certificate management.

Starting March 2026, organizations will have to gradually adopt short-lived certificates as part of their workflows. In addition to the shrinking certificate validity, domain control validation (DCV) reuse period will also drop from 398 days to 10 days by 2029.

Here's an overview of the changes and the timeline involved:

SSL/TLS Certificate Maximum Validity Timeline

The significance of this announcement

While this does seem to be a drastic change, this has been in the works for a while now. Google proposed a 90-day certificate lifespan back in 2023; Apple's recent proposal only took things a little further. Nonetheless, organizations will have to deal with the reality and the significance of this move now. So, what changes?

Prepare for frequent renewals

What was just a consideration until a few weeks ago is now a mandate. Starting Mar. 15, 2026, organizations must prepare to renew their certificates a minimum of two times per year, and this only gets progressively more challenging. To put things in perspective, by Mar. 15, 2029, organizations will have to renew their certificates a minimum of eight times per year.

Embrace automation

Along with this change, the DCV reuse period is also shrinking to just about 10 days by Mar. 15, 2029. This means organizations will have to go through the full validation process, validating their domain or IP address a lot more frequently. Given the increasing frequency of DCV and the overall shortened lifespan of TLS certificates, automation will become even more critical for managing certificates efficiently and avoiding downtime.

No change in costs

Despite the increasing frequency of renewals, the cost spent on certificates should still remain the same. Several certificate authorities offer single- or multi-year coverage for certificates and renew (reissue) them at no additional cost. This means you only pay for the coverage period.

Timeline of Key SSL/TLS Validity Proposals and Ballots

Why is the certificate validity coming down?

If you're wondering why this is even happening in the first place, it is to ensure that the WebPKI is safeguarded and automation is embraced to make the whole process efficient and seamless.

Better security

The primary driver for this change is to enhance online security by reducing the window of opportunity for threat actors to exploit compromised certificates and private keys. Shorter certificate lifetimes limit the duration a compromised private key can be misused by an attacker during attacks like manipulator-in-the-middle, minimizing the potential damage.

Adoption of best practices

To adapt to a world where eight certificate renewals a year will be the norm, organizations must embrace automated certificate management in the form of ACME to reduce human error and minimize downtime. This transition will not only make life easier but also inculcate large-scale certificate management best practices.

Minimize reliance on revocation mechanisms

Default revocation checks have inherent issues, such as update delays in certificate revocation lists or OCSP responses, inconsistent enforcement where clients might "soft-fail" and accept certificates despite failed checks, and network blockages that prevent access to revocation servers. Shorter validity alleviates the need to rely solely on such mechanisms and can act as a reliable failsafe option.

Frequent revalidation

The CA/B Forum argues that the information in certificates becomes less trustworthy over time, and more frequent revalidation is necessary to maintain accuracy. By reducing the maximum certificate lifespan to 47 days, the Baseline Requirements would inherently force subscribers to undergo this validation process more often, leading to higher assurance for relying parties that the entity presenting the certificate currently controls the domain.

Move towards crypto agility

Manual certificate management will soon become obsolete given the frequency of certificate updates. As organizations strengthen their automation systems and such solutions become the norm, the ecosystem will become more agile in responding to future cryptographic vulnerabilities. Crypto agility will ensure frequent and hassle-free transitions to new algorithms, faster key rotation, and better management, all of which are vital in a post-quantum world.

Impacts of adapting to a shorter certificate lifespans

Needless to say, this move will have significant impacts on organizations, especially the ones that rely on manual certificate management practices.

Increased workload

IT, security, public key infrastructure (PKI), DevOps, and application teams, as well as any other team that deals with certificates, will face a substantially increased workload.

Unexpected outages

Organizations with a large number of publicly facing websites and systems relying on TLS certificates could increasingly run into service disruptions and unexpected outages.

Change management implications

Existing change management processes for certificate renewals will need to be adapted to handle the much higher volume and frequency of certificate renewals.

Preparing for 47-day certificate validity

The reduction of TLS certificate validity to 47 days by 2029 represents a significant shift to say the least. Organizations must start today and proactively plan and implement automation strategies to manage this change effectively.

01. Start with policies

Establishing clear PKI policies is the first step. Without internal clarity, any technology change could turn chaotic. By taking full ownership of governing digital certificates and their life cycle the right way, you can assign roles and actions accordingly within your organization.

02. Audit your environment

Without knowing all the TLS/SSL certificates employed in your organization, the transition to short-lived certificates could be a nightmare. Start by accounting for every single certificate managed across your enterprise and manage them from a central certificate repository.

03. Alerts and monitoring

Set up real-time monitoring to check for certificate expiry and ensure timely alerts are in place. This is just as crucial as having a certificate inventory.

04. Automation is your friend

Even two renewals a year starting March 2026 will increase the likelihood of outages and administrative overhead. Prepare for the change today by adopting certificate life cycle management solutions. They automate every step of PKI management, from discovery and issuance to renewal and provisioning.

05. Utilize the ACME protocol

Although gaps may exist, the Automated Certificate Management Environment (ACME) protocol powers the automated management of certificates. Implement the ACME protocol to streamline the issuance and renewal of certificates from various certificate authorities.

06. Integrate with your ecosystem

Expand automation further and integrate certificate management into DevOps pipelines to ensure certificates are handled efficiently as part of the software development and deployment processes.

07. Bring everyone on board

There's nothing like having every crucial department on board when adhering to the new mandate. Efforts from everyone on IT, security DevOps, PKI, and application teams as well as other teams is vital. Educate personnel on the importance of this move to make the transition smooth.