Why Are SSL/TLS Certificates Being Reduced to 47 Days by 2029?
The CA/Browser Forum voted to reduce SSL/TLS certificate lifespans to 47 days by 2029 to improve security, enforce automation, and prevent certificate misuse. Here’s what you need to know.
The CA/Browser Forum, the governing body behind SSL/TLS certificate standards, has passed a landmark decision to reduce the maximum validity period of public SSL/TLS certificates from 90 days to just 47 days by 2029. This move is part of an ongoing effort to enhance web security, mitigate risks of certificate misuse, and improve certificate lifecycle management.
Why Did the CA/Browser Forum Reduce SSL Certificate Lifespans to 47 Days?
In a unanimous 25-0 vote, the CA/Browser Forum – the industry group governing SSL/TLS standards—has mandated that all publicly trusted certificates must expire after just 47 days by 2029. This dramatic reduction (from today’s 90-day limit) aims to combat rising cyber threats by forcing faster certificate rotations.
Here’s the phased timeline and what it means for your organization:
|
Effective Date |
Maximum Certificate Lifespan |
Domain Validation (DCV) Period |
|
March 15, 2026 |
200 days |
200 days |
|
March 15, 2027 |
100 days |
100 days |
|
March 15, 2029 |
47 days |
10 days |
3 Key Reasons SSL/TLS Certificate Lifespans Are Shrinking to 47 Days
The 47-day SSL/TLS certificate lifespan reduction until 2029 serves three essential cybersecurity objectives.
1. Reducing Attack Windows
SSL/TLS certificate validity periods now last only 47 days instead of 90 days to reduce the time hackers can use stolen or compromised certificates. The 47-day certificate validity period creates a time restriction that limits attackers to using system vulnerabilities for less than half of their previous attack duration.
2. Forcing Automation Adoption
The process of manual certificate administration becomes insufficient to handle certificate renewals with 47-day validity periods. The new policy demands organizations to adopt automated certificate management tools which include:
- ACME protocols (Let’s Encrypt, Certbot)
- Cloud PKI services (AWS ACM, Azure Key Vault)
The document uses bullet points to enable readers to quickly scan specific information.
3. Enforcing Zero Trust Security
Starting from 2029 all organizations must implement a 10-day Domain Control Validation (DCV) requirement as a mandatory requirement. The new requirement includes three essential benefits:
- Frequent reconfirmation of domain ownership
- Prevention of hijacking and phishing attacks
- Alignment with “never trust, always verify” Zero Trust principles
SSL/TLS Certificate Lifespan Reduction: Full Phase-Out Timeline (2024-2029)
The CA/Browser Forum’s Ballot SC-081v3 mandates a staged reduction of SSL/TLS certificate lifespans, culminating in a 47-day maximum validity by 2029.
Here’s the official timeline:
|
Year |
Maximum Validity Period |
Key Change |
|
2024 |
90 days |
Current standard |
|
2025 |
70 days |
First reduction (-20 days) |
|
2027 |
60 days |
Prepares for final phase |
|
2029 |
47 days |
Final compliance deadline |
Impact on Businesses & Web Administrators: Key Challenges and Solutions
Organizations must adapt their digital security management because SSL/TLS certificates now have a maximum validity period of 47 days. The new policy requires organizations to manage increased operational demands and implement mandatory automation systems and cost adjustments and misconfiguration risks. The solution involves using automated tools such as Certbot and HashiCorp Vault together with CI/CD integration and proactive monitoring.
The following section outlines essential challenges along with practical solutions which apply to business operations and IT management.
1. Increased Operational Overhead
Challenge:
- The need for more regular renewals creates additional work for system maintenance.
- The shorter certificate validity period makes manual processes impractical for maintenance.
Solution:
- The implementation of automated workflows will decrease administrative workloads.
- Scheduled audits should be implemented to guarantee compliance.
2. Mandatory Automation Adoption
Challenge:
- The 47-day renewal period makes manual certificate management systems unable to function effectively.
Solution:
- Organizations need to use automated Certificate Management (ACM) tools that include Certbot and HashiCorp Vault.
- CI/CD pipelines should integrate with certificate rollover processes for smooth operations.
- The implementation of monitoring tools such as Nagios and Datadog will help prevent certificate expiration surprises.
3. Cost Implications
Challenge:
- Enterprises which manage thousands of certificates will probably need to spend more money because of the need for more frequent renewals.
Solution:
- Businesses should use free certificate authorities (CAs) such as Let’s Encrypt to minimize costs.
- The consolidation of certificates into unified management platforms will help organizations decrease their operational costs.
4. Risks of Misconfigurations & Failures
Challenge:
- The speed of certificate rotations elevates the chance of human mistakes such as overlooking renewal deadlines which results in system outages.
Solution:
- Automated fallback systems (e.g., backup certificates) should be implemented.
- Real-time alerting systems should notify teams about approaching certificate expiration dates.
Final Thoughts
SSL/TLS certificate lifespans with 47-day validity represent an essential cybersecurity development which drives the industry toward automated systems and stronger encryption standards and minimized attack vectors. Businesses that adopt automated certificate management will lead to both compliance demands and security threats because of this change.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
