The world of digital security is on the cusp of a significant transformation. By March 15, 2029, the maximum validity period for public SSL/TLS certificates will be reduced from the current 398 days to just 47 days. This change, approved by the CA/Browser Forum and supported by major browser vendors and certificate authorities, is set to redefine how organizations approach website security and certificate management.
Why the Change?
The primary driver behind this shift is enhanced security. Shorter certificate lifespans drastically reduce the window of opportunity for attackers to exploit compromised or mis-issued certificates. If a certificate or its private key is exposed, the risk period shrinks from over a year to less than two months. This limits the potential for impersonation, man-in-the-middle (MitM) attacks, and other malicious activities.
But WTF 47 days?
The 47-day figure itself was the result of negotiation. While Apple suggested 45 days and Google 90 days, 47 days was chosen as a middle ground that allows for operational buffers (such as renewal failures and retry windows) and aligns with the industry’s consensus for both security and practicality
Key Implications for Site Owners and IT Teams
1. Security Improvements
Short-lived certificates mean that even if a certificate is compromised, the damage is inherently limited by the brief validity period. This approach aligns with the industry’s broader push toward crypto-agility and rapid response to emerging threats.
2. Operational Challenges
The most immediate impact will be operational. Manual certificate management will become impractical, as organizations will need to renew and deploy certificates up to eight times per year per domain, compared to the current annual cycle. Additionally, the Domain Control Validation (DCV) reuse period will shrink to just 10 days by 2029, requiring more frequent domain revalidations.
3. The Rise of Automation
Automation will become essential. Tools such as Certbot, acme.sh, and enterprise certificate management platforms will be critical for handling the increased frequency of renewals. Automated systems not only reduce the risk of human error but also ensure continuous compliance and minimize the risk of service interruptions caused by expired certificates.
4. Cost Considerations
Importantly, the shortened lifespan does not equate to increased certificate costs. Multi-year SSL/TLS plans will still be available; organizations will simply re-issue certificates more frequently within their prepaid coverage period.
5. Implementation Timeline
The transition to 47-day certificates will be phased in over several years:
| Date | Max Certificate Lifespan | Renewals per Year |
|---|---|---|
| Now (2025) | 398 days | ~1 |
| March 15, 2026 | 200 days | ~2 |
| March 15, 2027 | 100 days | ~4 |
| March 15, 2029 | 47 days | ~8 |
Preparing for the 47-Day Era
To navigate this transition successfully, organizations should:
- Evaluate current certificate management practices and identify opportunities to implement automation.
- Deploy automated renewal and deployment solutions to handle the increased frequency of certificate updates.
- Educate IT teams about the upcoming changes and the importance of proactive certificate lifecycle management.
- Stay informed about industry developments and browser enforcement timelines to ensure ongoing compliance.
