The Clock Is Ticking: 47-Day TLS Certificates Are Now Inevitable
The Clock Is Ticking: 47-Day TLS Certificates Are Now Inevitable
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
The Clock Is Ticking:
47-Day TLS Certificates
Are Now Inevitable
The CA/Browser Forum’s landmark Ballot SC-081v3 has set the web on a path toward near-monthly certificate renewal. With the first enforcement deadline already in effect, organizations face a fundamental rethinking of how they manage digital trust.
On April 11, 2025, the CA/Browser Forum — the international consortium of certificate authorities and browser vendors that governs public digital trust — formally closed the voting period on Ballot SC-081v3. The result: 29 votes in favor, zero opposed. The measure, originally proposed by Apple and immediately endorsed by Google, Microsoft, and Mozilla, sets a phased schedule to reduce the maximum lifetime of publicly trusted TLS/SSL certificates from 398 days to just 47 days by March 2029.
The vote was not entirely frictionless. Five certificate authorities — roughly 17% of active voting participants — chose to abstain, citing operational concerns even while broadly supporting the direction of travel. Their silence was not opposition, but it signals the magnitude of the change now rippling through the industry.
That change is no longer theoretical. As of March 15, 2026, the first enforcement phase is active. Any TLS certificate issued by a publicly trusted certificate authority from that date onward carries a maximum validity of 200 days — cutting the previous limit nearly in half. Major CAs acted ahead of schedule: DigiCert began issuing 199-day certificates on February 24, 2026, GlobalSign followed on March 14, and others aligned close to the deadline.
Scope: Public Certificates Only
Ballot SC-081v3 governs only publicly trusted TLS certificates — those chaining to a root CA trusted by browsers for authenticating publicly accessible servers. Internal PKI, private networks, S/MIME email certificates, code signing, and IoT device identity certificates operate under separate frameworks and are not subject to these new timelines.
Organizations using internal certificate authorities for private infrastructure may continue issuing long-lived certificates, though this transition is widely seen as a good opportunity to review internal PKI practices too.
A Deliberate, Staged Countdown
The CA/B Forum chose a phased approach specifically to avoid operational shock — giving enterprises, certificate authorities, and tooling vendors time to adapt at each step rather than facing an abrupt cutover.
Enforcement Milestones — SC-081v3
Mar 2026
Maximum 398-Day Certificates
The prior standard. Organizations could issue certificates valid for up to 398 days. Domain Control Validation (DCV) data could be reused for up to 398 days. Subject Identity Information (SII) — organization names and details in OV/EV certificates — could be reused for up to 825 days.
2026
Maximum 200-Day Certificates
Certificate validity drops to 200 days — roughly a six-month cadence. The DCV reuse period also drops to 200 days. SII reuse is reduced from 825 to 398 days. Several major CAs began complying slightly ahead of schedule in late February and early March 2026.
2027
Maximum 100-Day Certificates
Validity is halved again to 100 days — approximately a three-month renewal cadence. At this stage, the CA/B Forum anticipates that manual management will be largely untenable for most organizations, making automation adoption effectively mandatory for business continuity.
2029
Maximum 47-Day Certificates + 10-Day DCV Reuse
The endpoint of the transition. Certificate validity is capped at 47 days — approximately every six to seven weeks. The DCV reuse period simultaneously drops to just 10 days, requiring near-continuous re-verification of domain ownership. Manual renewal processes become effectively impossible at scale.
| Effective Date | Max Certificate Validity | DCV Reuse Period | Approx. Renewals/Year |
|---|---|---|---|
| Until Mar 14, 2026 | 398 days | 398 days | ~1× |
| Mar 15, 2026 ← Now | 200 days | 200 days | ~2× |
| Mar 15, 2027 | 100 days | 100 days | ~4× |
| Mar 15, 2029 | 47 days | 10 days | ~8× |
Three Security Imperatives Driving the Reform
1. Shrinking the Window of Compromise
When a certificate’s private key is leaked or a certificate is misissued, the attacker’s exploitation window is bounded by the certificate’s remaining validity. At 398 days, a breach discovered late could leave a compromised certificate usable for over a year. At 47 days, that window collapses to less than seven weeks — dramatically reducing the potential blast radius of any single key compromise.
This matters because certificate revocation — the theoretically correct fix for a compromised certificate — has proven unreliable in practice. Browser vendors have progressively moved away from real-time revocation checks (via OCSP and CRLs) because they slow page loads and often fail silently. Shorter certificate lives are, in a sense, an acknowledgment that revocation alone cannot be trusted to protect the web at scale.
2. Keeping Identity Data Accurate
Certificates bind a public key to identity information: domain names, organization details, and more. Long-lived certificates may accurately reflect reality when issued but become stale as domains change hands, companies restructure, or ownership transfers. The new DCV reuse periods — dropping eventually to 10 days — ensure that the identity information embedded in any active certificate is a recent, verified snapshot rather than a historical artifact.
3. Building Crypto-Agility for the Quantum Era
Quantum computing poses a long-term threat to RSA and Elliptic Curve Cryptography — the mathematical foundations underpinning today’s certificates. NIST finalized its first post-quantum cryptographic standards in 2024, including algorithms like CRYSTALS-Kyber and CRYSTALS-Dilithium, but mass adoption remains years away.
By forcing frequent certificate replacement, the industry is building the operational muscle memory — and the automated tooling — needed to transition cryptographic algorithms rapidly. An organization that can rotate certificates every 47 days can also pivot to post-quantum algorithms when the time comes, without a painful, crisis-driven migration.
Who Is Affected, and How
For Enterprises and IT Teams
The most immediate impact is an explosion in renewal frequency. Certificate management — once an annual or semi-annual task tucked into routine IT maintenance — becomes a continuous operational process. By 2029, a single domain certificate will require renewal approximately eight times per year. Multiply that across the certificate inventory of a mid-size enterprise and the arithmetic rapidly makes manual processes unworkable.
The good news: cost structures are adapting in parallel. Most major CAs have confirmed that pricing will remain subscription-based, covering a coverage period (typically one to three years) during which certificates are reissued at no additional charge as validity limits require. Shorter lifespans do not mean proportionally higher bills.
For Certificate Authorities
The shift breaks the “issue once, collect annual fee, provide minimal ongoing service” model. CAs must now support high-frequency reissuance, robust automation APIs, and proactive monitoring at scale. Vendors with strong automation platforms — particularly those with mature ACME protocol support and full lifecycle management tooling — stand to consolidate market share as customers prioritize reliability. Smaller CAs lacking these capabilities face real competitive pressure.
For the Broader Ecosystem
Cloud providers, open-source tools like Certbot, and managed PKI-as-a-service platforms gain relevance as organizations seek to offload the complexity. The 47-day timeline is also expected to accelerate adoption of the ACME protocol — the standard that powers Let’s Encrypt’s fully automated certificate issuance — across enterprise environments where it has historically been underused.
What to Do Now
The March 2026 phase is already live. The window to adapt before the 2027 reduction to 100-day certificates is narrowing. Here are the immediate priorities:
- Conduct a certificate inventory. Identify every publicly trusted TLS certificate in your environment — including subdomains, API endpoints, load balancers, and third-party integrations. Know expiration dates and issuing CAs.
- Evaluate your automation posture. Determine which certificates are currently managed manually and model the renewal workload at 100-day and 47-day cadences. The gap between current capacity and what 2027 requires is your urgency signal.
- Deploy ACME-compatible tooling. Prioritize platforms that support the ACME protocol for automated issuance and renewal. Set renewal trigger alerts at 7–14 days before expiration to build buffer time.
- Move to subscription-based certificate plans. Avoid per-issuance pricing models that penalize frequent renewal. Multi-year subscription plans from major CAs allow unlimited reissuance within the coverage period.
- Test compatibility. Some legacy systems, embedded devices, and older TLS stacks have hardcoded assumptions about certificate lifetimes. Audit for anything that may break with shorter-lived certificates before enforcement arrives.
- Plan for DCV frequency. By 2029, domain ownership must be re-verified every 10 days. Ensure DNS configuration and domain control validation mechanisms are compatible with high-frequency automated checks.
- Begin upskilling operations teams. Certificate lifecycle management is becoming a core infrastructure competency. Invest in training and establish clear runbooks for certificate incidents.
The Longer Arc of Digital Trust
The 47-day certificate is, in many ways, a forcing function for infrastructure modernization that the industry has needed for years. Certificate-related outages — expired certificates causing unexpected service disruptions — have plagued organizations large and small precisely because renewal was infrequent enough to fall through the cracks. Automation removes that failure mode entirely.
Experts broadly expect the trend toward shorter lifespans to continue beyond 2029 as quantum computing matures and post-quantum cryptographic algorithms enter deployment. Organizations that build robust automation and crypto-agility now will be far better positioned for that next transition than those scrambling to catch up.
The ballot’s passage with unanimous support from every major browser vendor — the entities that ultimately determine which certificates are trusted — made its enforcement effectively certain from the moment of the vote. The only remaining question for any organization is not whether to adapt, but how quickly.
