Starting March 15, 2026, the maximum lifespan of public SSL/TLS certificates drops from 398 days to 200 days – and by March 2029, that window shrinks to just 47 days. The CA/Browser Forum passed Ballot SC-081v3 on April 11, 2025, with 29 votes in favor and zero opposed. Every major browser vendor – Apple, Google, Mozilla, and Microsoft – backed the measure.
For IT teams and website owners, this means certificate renewals will jump from once a year to roughly eight times a year. Without preparation, expired certificates will cause browser warnings, site outages, broken APIs, and lost revenue. Here is a step-by-step breakdown of what to do now, organized by the phased timeline ahead.
What Is the 47-Day SSL Certificate Timeline?
The shift to shorter certificate lifespans follows a three-phase schedule. Each phase tightens both the certificate validity period and the domain control validation (DCV) reuse window.
| Phase | Effective Date | Max Validity | DCV Reuse Period |
|---|---|---|---|
| Current | Now – March 14, 2026 | 398 days | 398 days |
| Phase 1 | March 15, 2026 | 200 days | 200 days |
| Phase 2 | March 15, 2027 | 100 days | 100 days |
| Phase 3 | March 15, 2029 | 47 days | 10 days |
By Phase 3, domain ownership verification must happen with nearly every renewal. Organizations that still manage certificates manually will face a workload increase of roughly 8x compared to current annual renewal cycles.
Step 1: How Do You Discover All SSL/TLS Certificates Across Your Infrastructure?
Start with a full certificate inventory. You cannot protect what you cannot see. Scan every internal and external endpoint – web servers, load balancers, CDN nodes, API gateways, IoT devices, and cloud instances – to build a complete map of active certificates.
According to the Sectigo 2025 State of Crypto Agility Report (August 2025), conducted in partnership with research firm Omdia, only 28% of organizations have a complete inventory of their certificates. Just 13% are confident they can track rogue or shadow certificates. These gaps become far more dangerous when renewal cycles accelerate to every 47 days.
Use automated discovery tools that continuously scan your networks. Record the issuing Certificate Authority (CA), expiration date, key algorithm, and hosting location for every certificate found. This inventory becomes your single source of truth for the entire transition.
Step 2: Why Is Certificate Lifecycle Automation No Longer Optional?
Manual certificate management breaks down at the 47-day renewal pace. An organization with 1,000 certificates currently handles about 1,000 renewal events per year. Under the 47-day model, that same inventory generates over 8,000 renewal events annually.
The same Sectigo/Omdia report found that only 5% of organizations have fully automated certificate management, while 95% remain at least partially dependent on manual processes. Fewer than 1 in 5 organizations (19%) feel prepared to support monthly renewal cycles. The gap between where most organizations are today and where they need to be by 2029 is significant.
The ACME (Automatic Certificate Management Environment) protocol is the industry-standard method for automated certificate issuance and renewal. Supported by CAs like Let’s Encrypt, DigiCert, Sectigo, and others, ACME handles domain validation, certificate request, and installation without human intervention.
Key Automation Protocols to Evaluate
- ACME: Widely adopted for DV certificates; integrates with most web servers and hosting platforms
- EST (Enrollment over Secure Transport): Suited for enterprise and IoT environments
- SCEP (Simple Certificate Enrollment Protocol): Common in mobile device management
- CMP (Certificate Management Protocol): Used in PKI-heavy enterprise setups
If your hosting provider supports AutoSSL or built-in ACME clients (cPanel, Plesk, Cloudflare), enable them now. For complex environments spanning multiple CAs and certificate types, a dedicated Certificate Lifecycle Management (CLM) platform gives you centralized control, policy enforcement, and audit trails.
Step 3: How Should You Handle Domain Control Validation Changes?
Domain Control Validation reuse periods are shrinking alongside certificate lifespans. By March 2029, DCV data can only be reused for 10 days. This means proving domain ownership will happen with nearly every certificate renewal cycle.
Prepare for this by standardizing your DNS infrastructure. Use DNS-based validation methods (DNS-01 challenges) rather than email or HTTP-based approaches. DNS-01 validation integrates cleanly with automation tools and works well for wildcard certificates.
Make sure your DNS hosting provider supports API-based record management. Your ACME client needs the ability to programmatically create and remove TXT records during each validation cycle. Without DNS API access, automation stalls at the validation step – and a stalled renewal becomes a site outage. For deeper context on the SSL/TLS certificate lifespan reduction timeline and its broader implications, review the full phased breakdown.
Step 4: What Monitoring and Alerting Should Be in Place?
Automated renewals can fail silently. A misconfigured server, expired API credentials, or a DNS propagation delay can prevent a renewal from completing. Without monitoring, the first sign of trouble is a browser security warning blocking your users.
Set up certificate expiration monitoring that triggers alerts at multiple thresholds – for example, 30 days, 14 days, 7 days, and 3 days before expiry. Integrate these alerts into your existing incident management workflow (PagerDuty, Slack, email, or your SIEM).
Monitoring Checklist
- Track certificate expiry dates across all environments (staging, production, internal services)
- Monitor ACME client logs for renewal failures or rate-limit errors
- Validate certificate chains after each renewal to catch intermediate CA issues
- Test automated rollback procedures – if a new certificate breaks your application, you need to revert quickly
Step 5: How Do You Build a Long-Term Certificate Management Strategy?
The 47-day mandate is not the endpoint. Browser vendors and CAs expect certificate lifespans to continue shrinking, especially as post-quantum cryptography transitions accelerate. Treat this transition as a permanent shift toward continuous certificate operations, not a one-time project.
Assign clear ownership of certificate management within your organization. Whether it sits with the security team, platform engineering, or DevOps, one group needs accountability for renewal processes, policy enforcement, and incident response.
Strategic Actions
- Document your certificate management runbook: who owns what, how renewals work, and what to do when automation fails
- Consolidate certificate providers where possible to reduce vendor sprawl and simplify automation
- Plan for crypto-agility – the ability to swap algorithms rapidly when post-quantum standards finalize
- Run quarterly renewal simulations to test your automation under load before Phase 1 begins
Who Needs to Prepare for 47-Day Certificates?
These changes apply to every publicly trusted SSL/TLS certificate – DV, OV, and EV – issued by a Certificate Authority that follows CA/Browser Forum requirements. If your website, API, SaaS platform, or mobile app uses a public certificate for HTTPS, you are affected.
Private PKI certificates used solely within corporate networks are not subject to these rules. Code signing certificates and S/MIME email certificates also fall outside this ballot’s scope.
What Happens If You Don’t Prepare?
Failing to adapt to shorter certificate lifespans leads to concrete operational consequences:
| Risk | Business Impact |
|---|---|
| Expired certificates | Full-page browser warnings block users from accessing your site or application |
| API failures | Partner integrations and payment processors reject connections with invalid certificates |
| SEO and trust loss | Search engines flag insecure sites; customers lose confidence in your brand |
| Compliance violations | Industries like finance and healthcare face regulatory penalties for lapses in encryption |
| Revenue loss | Every minute of downtime from an expired certificate costs money and customer goodwill |
Your Preparation Window Is Narrowing
Phase 1 enforcement begins March 15, 2026. That gives organizations a limited runway to audit their certificate landscape, deploy automation, and test renewal workflows before the 200-day maximum takes effect.
The organizations that treat this transition as an opportunity – rather than a burden – will operate with fewer outages, faster security updates, and stronger crypto-agility for whatever comes next. Start with discovery, move to automation, and build monitoring around every renewal. The 47-day certificate era rewards preparation and punishes procrastination.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
Stay Secure with SSLInsights!
Subscribe to get the latest insights on SSL security, website protection tips, and exclusive updates.
✅ Expert SSL guides
✅ Security alerts & updates
✅ Exclusive offers
