CA/B Approved 47-Day SSL/TLS Validity by 2029: How to Prepare?

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...
47-Day Lifespans Coming by 2029

The Shrinking Lifespan of TLS Certificates

Remember when SSL certificates used to last three whole years? Then came the drop to one year. Painful, right? Well… brace yourself. By 2029, your SSL/TLS certificates will only last 47 days. Yes, just 47 days, and no, this isn’t a drill, and now the certificate expires eight times faster.

This change is official. It’s not speculation. It’s not a tech blog rumor. It’s CA/B Forum approved, backed by the same group that sets the global standards for web security. And it’s going to impact everyone, whether you’re running a personal blog, an eCommerce empire, a small startup, or a global enterprise.

The shorter lifespan of certificates improves security, reduces vulnerability, and promotes the adoption of automation certificate lifecycle management.

Flashback: The Road to Shorter Lifespans

If you’re wondering how we ended up staring down the barrel of a 47-day certificate lifespan, let’s rewind the tape. This didn’t happen overnight. It’s been a slow (but deliberate) countdown to zero. Well,… not zero, but pretty close.

Let’s walk through the highlights that brought us here:

Pre-2015

SSL/TLS certificates lived large. Before 2015, an SSL/TLS certificate had a 5-year lifetime. You have to renew it after five years. But then… things changed.

2015: The 3-Year Chop

In 2015, the 5-year lifetime of an SSL/TLS certificate was changed to 3 years. The CA/Browser (CA/B) Forum stepped in and trimmed the maximum certificate lifespan down.

2018: The 2-Year lifespan

In 2018, the SSL/TLS lifespan further degraded, and now it has a valid 3-year time period after which it will expire.

March 2020: The 398-Day Era

In March 2020, the lifespan dropped again, this time to 398 days (just over 13 months).

That meant annual renewals became the new normal, and the industry felt it.

Apple Wants 45 Days, But Google Says 90

Then Apple dropped a bomb: they proposed that certificates should last just 45 days. Google, a bit more lenient, floated 90 days instead. The message was clear: automation is the future.

CA/B Forum Votes: The Behind-the-Scenes Drama You Didn’t See Coming

This wasn’t some overnight, backroom decision. Nope. The move to 47-day certificates didn’t just happen it was the result of intense discussions, heated debates, and careful planning inside the CA/Browser Forum (CA/B).

After the voting, they decide the maximum lifespan of new SSL/TLS certs to just 47 days by March 15, 2029.

The CA/Browser Forum (CA/B Forum) is an industry consortium of Certificate Authorities (CAs) and browser vendors that sets security standards and best practices for digital certificates used on the internet, especially SSL/TLS certificates.

Think of it like a high-stakes roundtable with the world’s most powerful players in web security:

  • Certificate Authorities (CAs)
  • Browser giants like Google, Apple, and Mozilla
  • Security leaders who eat threat vectors for breakfast

The recent vote on shorter Certificate lifetimes passed, and the verdict Majority approved in favour of it with the votes 25-0 for the proposal and five abstentions. The 47-day revolution was officially greenlit.

But Why Cut Certificate Lifespans Again?

The single-word answer is Risk. Here’s what the CA/B Forum knew (and you should too):

Shorter Certificate Lifespans = Smaller Attack Windows

The logic is simple but powerful:

  • If a certificate gets compromised, it can now be retired faster.
  • Short-lived certs limit the blast radius of any potential breach.
  • You’re not trusting a certificate for a year anymore, just a few weeks. That’s like turning a 12-month lease into a short Airbnb stay: lower commitment, less risk.

And with automation tools now widely available, renewals aren’t the nightmare they once were. In fact, this change aligns beautifully with the Zero Trust model where nothing is trusted for too long, and everything must continuously prove itself.

The Timeline That Matters (Bookmark This!)

This isn’t a one-and-done update. It’s a strategic phase-out of long-lived SSL certificates and it’s going to change how you manage your security infrastructure. So, if you’re not automating yet… you’re going to feel the heat.

Timeframe (Certificates Issued After)  Maximum Certificate Validity  Domain Control Validation (DCV) Re-Use Period  Impact  
April 2025 (currently)  398 days  398 days   
March 15, 2026  200 days  200 days  2X today’s workload (Renewals 2X per Year)  
March 15, 2027  100 days  100 days  4X today’s workload (Renewals 4X per Year)  
March 15, 2029  47 days  10 days  8X today’s workload (Renewals 8 – 12X per Year)  

How Major CAs Like DigiCert and Sectigo Are Responding (Pay Attention)?

Let’s be honest… 47-day certificates sound like a nightmare unless you’ve got the right tools on your side. The good news? The biggest Certificate Authorities (CAs) are already ahead of the curve. Here’s how DigiCert and Sectigo are preparing you for the future.

DigiCert: Automate Everything, Stress Nothing

DigiCert isn’t sweating the 90-day or even 47-day revolution. Why? Because they’ve been preparing for this moment for years with an automation-first mindset.

Here’s what they’re doing:

  • Trust Lifecycle Manager handles issuance, renewal, and revocation so your team doesn’t burn out clicking “Renew” every few weeks.
  • Already supports 90-day certs, with full support for 47-day expected well before 2029.
  • Built for enterprises scaling across hybrid cloud, on-prem, and multi-region environments.

Sectigo: Get Full Visibility over all your Digital Certificates

Sectigo also follows the path of DigiCert. Sectigo knows shorter lifespans mean more churn, so they’re doubling down on automation, too.

  • Sectigo Certificate Manager (SCM) is a beast of a tool that simplifies cert management across DevOps, IoT, and hybrid cloud.
  • 90-day certs? Already handled.
  • 47-day support? Actively being baked in, with seamless rotation mechanisms in the works.

This change is not optional. By 2029, certs will last just 47 days. That means 8–12 renewals every year.

Why This Change Is a Big Deal

You are running your only business and site is down. Why? You forgot to renew the SSL certificate. Google now marks it as “Not Secure.” Customers bounce, Sales plummet and Your SEO rankings? Crushed.

Now… imagine that exact same scenario happening every 47 days. That’s not just a headache that’s a recurring business nightmare.

Automation Is No Longer an Option, it’s a Necessity

If you’re not using automation yet, the clock’s ticking literally. Because by 2029, you’ll need a system that can:

  • Detect expiration ahead of time
  • Renew certs automatically
  • Re-validate domains every 10 days (yes, 10 days)
  • Notify you before anything breaks

This shift isn’t just about security. It’s about staying online, staying trusted, and staying ahead.

This Will Affect Everyone — From Startups to Enterprises

Whether you’re a solo dev hustling on a side project, a SaaS startup, or a Fortune 500 bank juggling hybrid infrastructure across data centres and the cloud. This change is coming for you. No one’s immune. Not the little guys. Not the Giants.

If your website or app relies on HTTPS, you’re on the clock. It’s time to rethink how you handle certificates, or risk the fallout:

  • Downtime
  • Lost Customers
  • Security Gaps
  • SEO Penalties

Smart organisations are already automating and adopting ACME.

The Smarter Move: Automate Your Certificates

Let’s get one thing straight: Manual certificate management is soon dead. If your current SSL renewal process involves spreadsheets, calendar reminders, or that one person on your team who “just remembers” you’re already on borrowed time.

Why Manual ≠ Scalable

Think about it. With 47-day certificates and 10-day DCV cycles, you’re looking at:

  • 8 to 12 Renewals per year (per domain!)
  • Multiple Domain Validations
  • Coordinated Re-issuance across dozens, maybe hundreds of certs
  • All with Zero Room for Error

The Only Way Forward: Automated Certificate Management Systems (ACMS)

If you’re serious about staying secure online, this is the move:

  • Auto-renewals with no downtime
  • Auto-validation and compliance with CA/B rules
  • Visibility across all certs in one place
  • Easy integration with your DevOps pipelines, CI/CD, and cloud platforms

Tools to Look At Right Now (Before It’s Too Late)

Let’s make this simple. If you want to survive the 90-day and eventually 47-day cert renewal world, you need tools that do the heavy lifting. And not just any tools… the right ones.

DigiCert Trust Lifecycle Manager

From a single place, you can control your whole certificate management process.

  • Centralized certificate visibility — no more scattered certs
  • Proactive outage prevention — alerts before anything breaks
  • Support integration with cloud, containers, and DevOps tools like Jenkins and Kubernetes

Sectigo Certificate Manager (SCM)

Another top alternative is Sectigo Certificate Manager which gives you:

  • Auto-discovery + auto-renewal — no manual touchpoints
  • Works seamlessly across public/private CAs, mobile, servers, IoT
  • Built for compliance-heavy industries like finance, healthcare, and government

Got confused? Don’t worry, our PKI experts are here to help you choose the perfect automated certificate manager for your business as per your needs. Certera offers multi-vendor PKI Solutions at affordable rates for small to enterprise businesses. Browse our Enterprise-grade PKI Solutions and automate yourself!

Still Unsure? Just Look at the Outage Stats

If you’re thinking, “It can’t be that bad if I miss a renewal…” Think again. The numbers and the brands say otherwise.

LinkedIn (2018)

A missed cert renewal. Result? Parts of the platform went dark. Millions affected.

Microsoft Teams (2020)

One expired certificate = multi-hour outage. Entire companies lost productivity worldwide.

Instagram & Dropbox

Short outages. Missed certificate rotations. Big reputational hits.

Each incident? Millions are lost in downtime, user trust, and support costs. And those were with longer certificate lifespans. Now imagine playing that same risky game… every 47 days.

What Should You Do Right Now? How to Prepare?

This isn’t something you “get to later.” Every day you delay = higher risk of outages, SEO crashes, and angry customers. So here’s your no-fluff, action-packed playbook:

Step 1: Audit Your Current Certificates

Create a list of every active cert your organisation is currently using. Note expiration dates and the Map where each one is deployed (apps, servers, APIs). This is your baseline. Without it, you’re flying blind.

Step 2: Plan Your Transition

90-day and 47-day certs are coming fast. You need a transition plan. Identify which certs need to move to shorter lifespans. Choose the right automation tools (like DigiCert or Sectigo). Look for low-hanging fruit, start with the certs that renew most often.

Step 3: Deploy an Automated Certificate Management System (ACMS)

Manual cert renewal is dead. Automation is your lifeline. Set it once. Let it work while you sleep. It will do:

  • Auto-renewals
  • Auto-revocations
  • Auto-deployments

Step 4: Educate Your Team

Cert management isn’t just an IT problem; it touches devs, ops, security, and compliance. Make sure your team knows: shorter certs = too much trouble. Follow these:

  • Run training sessions
  • Update your CI/CD pipelines
  • Test in staging before it hits the prod

Conclusion

The SSL game has changed forever. From 398 days to just 47, the future of certificate management is all about automation, speed, and zero-trust security. Ignore it, and you’re one missed renewal away from a brand-damaging outage. Embrace it, and you’ll stay ahead of compliance, attackers, and your competition.

Need help adapting to the new SSL world? Contact us. Whether you’re a startup, enterprise, or DevOps team, we offer consulting services to audit your current setup, implement automation, and future-proof your certificate strategy.

Frequently Asked Questions (FAQs)

Why are SSL/TLS certificate lifespans being reduced?

Shorter lifespans improve security by minimizing the risk window in case a certificate is compromised. They also reduce reliance on revocation mechanisms, which are often unreliable.

When will the new 90-day SSL certificate lifespan be enforced?

The CA/Browser Forum has approved the change, and it’s set to come into effect by early 2024. Further reductions to 47 days are expected to become standard by 2029.

What is the CA/Browser Forum?

The CA/Browser Forum (CA/B Forum) is a voluntary group of Certificate Authorities (like DigiCert, and Sectigo) and browser vendors (like Google, Apple, and Mozilla) who define industry rules for SSL/TLS certificates.

What happens if I don’t update my certificate within the new 47-day cycle?

Your website will show a “Not Secure” warning, and users may be blocked from accessing your site. This could lead to lost traffic, data breaches, or business outages.

Do all CAs support this Change?

Yes. Major CAs like Sectigo and DigiCert have confirmed support for this change and are actively helping customers transition to automated certificate management.

What is ACME, and why is it important?

ACME (Automatic Certificate Management Environment) is a protocol used to automate SSL/TLS certificate issuance and renewal. It’s widely used by Let’s Encrypt and supported by most enterprise CAs today.

What are the Best Tools for Automating Certificate Management?

Enterprise-grade solutions include:

  • DigiCert Trust Lifecycle Manager
  • Sectigo Certificate Manager (SCM)
Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.