47-Day TLS Certificates Are Official: What It Means for Your Team
The CA/Browser Forum has voted to slash TLS certificate lifetimes to just 47 days by 2029. Here's the timeline, the reasoning, and what your team needs to do now to prepare.
The Vote That Changes Everything
In April 2025, the CA/Browser Forum unanimously passed Ballot SC-081 — a proposal originally driven by Apple that will reduce maximum TLS certificate lifetimes from 398 days down to just 47 days. All four major browser vendors (Apple, Google, Mozilla, and Microsoft) voted in favor. This isn't a proposal anymore. It's happening.
The Phased Timeline
The reduction rolls out in stages, giving organizations time to adapt — but the clock is already ticking:
• March 15, 2026: Maximum validity drops to 200 days
• March 15, 2027: Maximum validity drops to 100 days
• March 15, 2029: Maximum validity drops to 47 days
Domain Control Validation (DCV) reuse periods are also shrinking, reaching just 10 days by 2029. That means you can't even reuse a validation token for more than a week and a half.
Why This Is Happening
Shorter certificate lifetimes reduce the window of exposure when a private key is compromised. They also force organizations to maintain better automation practices and limit the damage from certificate misissuance. From a security standpoint, the reasoning is sound. From an operations standpoint, it's a seismic shift.
The Real-World Impact
A certificate that used to last a year will now expire more than 8 times as often. For a team managing 50 servers, that's roughly 400 renewal events per year instead of 50. For larger fleets, the numbers get staggering fast.
Without automation, this means constant renewal tickets clogging your queue, increased risk of missed renewals and outages, more human error in manual certificate installation, and failed health checks and broken trust chains during gaps.
What You Should Do Now
The March 2026 deadline is the first milestone, and it's coming fast. Here's how to prepare:
1. Inventory everything. You can't manage what you can't see. Run a discovery scan across every server to find every certificate — including the ones you forgot about.
2. Centralize monitoring. Spreadsheets and calendar reminders won't scale to 47-day lifetimes. You need a single dashboard that tracks every cert's expiration across your fleet.
3. Plan for automation. ACME-based auto-renewal is the endgame. Start evaluating tools now so you're not scrambling when 100-day certs hit in 2027.
4. Start with visibility. Tools like the open-source CertHound agent give you an immediate inventory at zero cost. You can be running a full scan in under 5 minutes.
The shift to 47-day certificates is the biggest change to TLS operations in a decade. The teams that prepare now will barely notice. The ones that don't will learn about it from their monitoring alerts — or worse, from their customers.
47-Day Certs Are Almost Here. Don't Get Caught Off Guard.
Deploy the free open-source agent in under 5 minutes. See every certificate across your infrastructure.