SSL/TLS Certificate Lifespans Reduced To 47 Days By 2029 [CA/B Approved]

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
47-Days SSL TLS Certificate Validity Period

In a historic vote raising the bar for online security and certificate manageability, the CA/Browser Forum has voted to reduce the maximum life of SSL/TLS certificates down to only 47 days by 2029.

This is a landmark event which will significantly reshape the way the digital landscape will tackle encryption and secure communications, and is a long-awaited and anticipated decision for security professionals everywhere.

This vote is not unprecedented because previously Google pushed for a shorter 90-day validity period for certificates and Apple proposed 45 days. With this vote, we are now on track for the industry to have an even stricter certificate life.

In this blog, we are going to discuss the key points of the new changes, the rollout timeline, how businesses should prepare for the updates, and how leading providers (Sectigo and DigiCert) are responding and why businesses must adopt automated certificate management solutions.

The CA/Browser Forum’s Decision

The CA/Browser Forum is a group of many of the major certificate authorities (CAs) and browsers.

Recently, the CA/Browser Forum held a vote to approve the gradual reduction of SSL/TLS certificates’ validity period. This unanimous decision came after months of debating and several proposals from Google, Apple, Sectigo, and other industry leaders.

The CA/Browser Forum proposes the following reduction of certificate validity, and will implement each change progressively over the next few years, with a final deadline in 2029.

Here’s what we know:

  • March 2026: The max lifespan of a TLS certificate will be 200 days, allowing for a six-month renewal cadence.
  • March 2027: The max lifespan of a TLS certificate will be 100 days, allowing for a three-month renewal cadence.
  • March 2029: The max lifespan of a TLS certificate will be capped at 47 days, allowing for a one-month renewal.

The Evolution of Certificate Lifespan Proposals

The introduction of a maximum 47-day validity period has to be seen as part of a larger trend across the industry to improve security and increase speed to align with technology that comes more quickly than the company can manage.

The planning brought forth by cryptographic driven industries such as quantum computing along with others comes at a rate that for some security professionals, causes them to lose sleep.

Google Proposed 90 Days

A few years earlier, Google’s proposal regarding certificate validations was a 90-day maximum for SSL/TLS certificates. For Google, the focus was security. The ultimate goal was to reduce the window of exposure  a private key could be exposed if a bad actor initiated a brute force attack and found some success.

Apple Proposed 45 Days

Apple took it even further with the proposal for a 45-day maximum of validation dates for certificates to enable quicker updates for renewals using a 45-day maximum to address new updates in the industry more rapidly.

Sectigo Supports Change

As a leading digital trust provider, Sectigo was excited to endorse change because they recognized the value of having shorter certificate lifespans that could improve the overall security of both private and public cryptography management issues.

Automated certificate management is more feasible for the future security quantum computing invitations with foresight, and recognition of potential imminent industry changes along with unrealized security vulnerabilities.

What Changes for Sectigo and DigiCert Users?

The CA/Browser Forum expects implementing shorter SSL/TLS certificate lifespans to significantly change how Sectigo and DigiCert users manage their digital certificates.

As a leader in digital trust, Sectigo has strongly advocated for shorter certificate lifecycles and is now preparing to launch their customer transition efforts.

Sectigo will rely on its Certificate Lifecycle Management (SCM) solutions to eliminate the manual challenges involved in automating the entire SSL/TLS certificate lifecycle.

As certificate renewal timelines increase, these automated functions become even more important.

By 2029, Sectigo expects to shorten the lifespan of SSL/TLS certificates to 47 days maximum to align with a monthly renewal cadence, which will require users to adopt a more aggressive management approach.

Similar to Sectigo, DigiCert, a widely recognized digital certification provider, is making adjustments to their solutions as well.

DigiCert provides Automated Certificate Management Systems (ACMS) that will support any new timelines and manage renewals automatically.

While the companies continue to evaluate the timeliness of these policy changes and ensure continued compliance, their platforms will still use security features to help businesses manage their digital trust while clients transition seamlessly.

How to Prepare for 47-day Lifespan?

With the reduction in SSL/TLS certificate lifespans businesses will make a shift toward agile, automated solutions to be able to properly manage the certificates they utilize. Get ready with below checklist:

Implement Certificate Automation:

Automation is essential because manual renewals will become impractical in shorter lifespan Certificates.

Use the ACME Protocol– Most Certificate Authorities (CAs) support the Automatic Certificate Management Environment (ACME) protocol, which automates issuance and renewal.

Adopt Certificate Management Tools– To manage streamline renewals we use Solutions like- Certbot, EJBCA, CFSSL, HashiCorp Vault or Enterprise-grade tools from DigiCert, Sectigo, and GlobalSign. You can also consult with PKI Broker or PKI Solution Provider to compare and choose the best CLM for your business.

Cloud and DevOps Integration– Some of the platforms that automate Certificates in Cloud Environment are- AWS Certificate Manager (ACM), Azure Key Vault, and Kubernetes Cert-Manager.

Optimize Internal Certificate Management:

Maintain an Inventory– A Certificate Management System (CMS) should be used to track all Certificates so that unexpected expirations become avoidable. Companies like Sectigo and DigiCert provide Certificate Management solutions to the customers.

Enable Monitoring & Alerts– The implementation of monitoring tools like Nagios along with Zabbix and built-in CA notifications systems enables teams to receive automatic alerts before certificate expiration.

Streamline Domain Control Validation (DCV)- An automated process to validate domain through DCV will be necessary because the DCV validity will drop to 10 days by 2027.

Educate & Train IT Teams

Ensure IT & DevOps Teams are Prepared- The IT and DevOps Teams need preparedness training for using Automation Tools that include ACME along with Kubernetes Cert-Manager or any cloud-native certificate solution.

Update Documentation & Policies– Develop organization-wide instructions for creating automated certificate management through policy development.

Review Compliance & Vendor Policies:

Check CA Support for Shorter Lifespans- Ensure your Certificate Authority (CA) system supports shorter Certificate lifespans because different providers can have different renewal requirements which must be compatible with your infrastructure.

Comply to Industry Regulations- Your business needs to follow cybersecurity standards like PCI DSS, NIST, and ISO  27001 because these standards require maintaining current Certificate Policies.

Prepare for Increased Network Traffic & Load:

You must plan how to handle higher network traffic patterns and load requirements. The implementation of shorter certificate validity periods will lead Organisations to frequent renewals of certificates, which would impact firewalls, proxies, and load balancers.

Test Infrastructure for Increased Requests– The network infrastructure should be tested to validate its capacity for processing larger volumes of Certificate creation and revocation procedures.

Optimize OCSP Stapling & CRL Handling– Efficient management of Online Certificate Status Protocol (OCSP) stapling along with Certificate Revocation Lists (CRLs) handling is essential because frequent Certificate renewals create higher OCSP and CRL traffic volumes.

What’s Next for Digital Security and Certificate Lifespans?

The move toward shorter lifetimes for certificates is also a sign of how the digital security environment is maturing.

In a world now approaching the era of quantum computing, we will be left behind without upgrades for more nimble, stronger, security protocols going into the future.

Shorter lifetimes for certificates will greatly spur adoption of new cryptographic algorithms as adoption helps drive uptake across the global community for online security.

Secure Your Future

With major changes to SSL/TLS certificate lifespans coming soon, it is important that businesses leverage automated certificate management solutions that automate the lifecycle—all from issuing, renewing, to revoking certificates rather than waiting for impending implementation.

Additionally, using these solutions means organizations have a claim to staying better compliant with industry requirements and reducing digital security risks due to mismanagement of a workflow.

By automating the tasks that surround certificate management, organizations can greatly reduce the administrative burden for other potential tasks, increase efficiencies, and spend more time on their core business capabilities with less consideration towards digital security.

SSL Certificate

Low-Cost SSL/TLS Certificates

Buy or Renew Trustworthy SSL Certificates from Reputed CA at Cheapest Cost at CheapSSLWEB. Same Cert at Less Price!

Buy SSL/TLS Certs @ $3.99/yr
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.