A major shift is coming to internet security. Beginning in March 2026, the SSL/TLS certificate validity period will be reduced in phases—dropping first to around 200 days, then to 100 days in 2027, and ultimately to just 47 days by March 2029. For years, organizations relied on certificates valid for multiple years, but with these gradual changes, renewing certificates will become a near-monthly responsibility.
This transition is not simply a technical adjustment; it rewrites how organizations must approach certificate management. Shorter validity periods raise the risk of outages caused by missed renewals and increase the operational overhead. Manual processes—like tracking expiration dates with spreadsheets or setting calendar reminders—will no longer be practical. Accelerated certificate renewal cycles will require robust automation tools and processes to ensure continuity, minimize risk, and keep infrastructure secure.
The industry’s phased approach gives organizations time to adapt, but the sooner you embrace automation and modern lifecycle management, the smoother the transition will be. By the time 2029 arrives, having an automated, reliable certificate management process won’t just be an advantage—it will be a necessity for security and business continuity.
This upcoming change to the SSL/TLS Baseline Requirements demands a fundamental shift in how organizations manage their digital infrastructure. Manual certificate renewals will no longer be an option. Missing a renewal could mean sudden website outages, lost revenue, and compromised user trust.
This post explores the reasons behind the 47-day certificate validity limit. We will break down what this means for website owners, IT administrators, and security teams. Finally, we will share actionable steps you can take today to prepare your infrastructure for this new era of rapid certificate turnover.
Understanding the Shift to 47-Day Validity
In April 2025, the CA/Browser Forum officially approved Ballot SC-081v3, setting in motion a scheduled reduction of SSL/TLS certificate lifespans. This change will be rolled out in phases: starting March 15, 2026, certificate validity will drop from the current 398 days to about 200 days, then to 100 days in 2027, and finally to 47 days by March 2029. The ultimate target of a 47-day maximum validity period was a negotiated compromise, following suggestions by Google (90 days) and Apple (45 days), aimed at making the transition attainable while maximizing security benefits.
The rationale behind this reduction centers on minimizing the time a compromised certificate or cryptographic key can be used, reducing the risk and impact of attacks. Shorter certificate lifespans also mean that any outdated or vulnerable information embedded in certificates is refreshed more frequently, enabling the internet ecosystem to respond more rapidly to evolving threats. By enforcing regular, automated renewals, the industry is pushing organizations away from manual processes and toward automation—protecting users, improving agility, and raising the overall standard of web security.
Why 47 days? Shorter lifespans directly reduce the window of opportunity for bad actors. If a cybercriminal compromises a certificate, it remains valid for a much shorter period. A stolen key loses its value rapidly when it expires in a matter of weeks.
Furthermore, rapid certificate turnover ensures that major cryptographic updates happen faster. When security standards evolve or vulnerabilities emerge, the entire web ecosystem can transition to stronger encryption protocols within a 47-day window. This agility makes the internet significantly more resilient against modern cyber threats.
The best part? Shorter certificate lifespans do not equate to higher costs. Whether you opt for one-year or multi-year coverage, you can easily renew or re-issue your certificates in accordance with the evolving validity requirements, ensuring uninterrupted security without increased costs.
Implications for Your Organization
The shift to a 47-day certificate validity period will have wide-ranging effects across organizations, making automation and new workflows a necessity rather than a convenience. Website owners, IT administrators, and cybersecurity professionals will all experience major changes. Ultimately, these changes mean organizations must adopt a proactive approach: phasing in automation now, updating policies, and training staff to reduce risk and guarantee continuous compliance as certificate turnover speeds up and data reuse windows close.
Impact on Website Owners
For business leaders and website owners, website uptime is critical. An expired certificate results in harsh browser warnings that scare visitors away. These warnings destroy brand trust and lead to immediate revenue loss.
With certificates expiring every 47 days, the risk of human error causing an outage skyrockets. Website owners will need to budget for and implement automated certificate management tools to prevent costly outages and brand-damaging browser warnings. The need to reissue certificates roughly eight times a year makes manual tracking using calendars or spreadsheets completely impractical.
Impact on IT Administrators
IT administrators will face the heaviest operational burden if they stick to traditional workflows. Manually generating Certificate Signing Requests (CSRs), validating domains, and installing certificates across multiple servers takes time. Doing this every few weeks for dozens or hundreds of domains is unsustainable.
This change forces IT teams to abandon manual processes. Administrators must shift their focus toward building resilient, automated pipelines. They will need to master tools and protocols that handle certificate issuance and deployment automatically, freeing up their time for strategic IT initiatives.
Impact on Cybersecurity Professionals
Cybersecurity teams generally welcome this change. Shorter validity periods mean better security hygiene. It forces organizations to implement strict crypto-agility practices.
However, security professionals must oversee the safe implementation of these new automated systems. They must ensure that the tools handling private keys and communicating with Certificate Authorities (CAs) remain secure. With shorter validity, certificate-related data—such as subject identity and domain validation—must be refreshed more often, and the time window in which validation data may be reused has been drastically reduced, too. For example, validation data reuse for domains drops to just 10 days by March 2029, increasing the frequency of required validation processes. Security teams will also need to monitor the certificate landscape continuously to catch any issuance anomalies before they become major incidents.
How to Prepare for the 47-Day Validity Era
Organizations should begin taking action now to modernize certificate lifecycle management and avoid costly disruptions. Begin by mapping out a multi-year plan that aligns with each milestone in the phased timeline. Start evaluating and rolling out automation tools—such as enterprise-grade Certificate Lifecycle Management (CLM) platforms and protocols like ACME—well before you’re forced to renew certificates every 47 days.
Automation is not just convenient; it’s essential for keeping up as you may need to reissue each certificate up to eight times per year by 2029. Implement automation solutions that fit your specific environment, whether you manage Linux, Windows, cloud, or web hosting infrastructure. Test, configure, and train your teams on these systems as soon as possible to ensure a smooth transition. Organizations with complex digital environments should consider centralizing certificate management and monitoring to minimize the risk of shadow IT and expiration-related outages. Proactive preparation now—starting with automation—will help your organization navigate the timeline of changes while maintaining a high level of security and compliance.
Securing Your Digital Future
The move to 47-day SSL/TLS certificate validity represents a massive leap forward for internet security. While it introduces significant operational challenges, it ultimately protects your organization from devastating cryptographic failures and key compromises.
Take action today. Audit your current certificate inventory and evaluate your automation capabilities. Begin testing ACME clients and CLM solutions in your staging environments. By embracing automation now, you will transform a looming operational headache into a streamlined, highly secure competitive advantage well before the 2029 deadline arrives.
Written by: Chris Zambuto | Chief Information Security Officer @CMITBostonCambridge
