Why Are SSL/TLS Certificates Being Reduced to 47 Days by 2029?
The CA/Browser Forum voted to reduce SSL/TLS certificate lifespans to 47 days by 2029 to improve security, enforce automation, and prevent certificate misuse. Hereโs what you need to know.
The CA/Browser Forum, the governing body behind SSL/TLS certificate standards, has passed a landmark decision to reduce the maximum validity period of public SSL/TLS certificates from 90 days to just 47 days by 2029. This move is part of an ongoing effort to enhance web security, mitigate risks of certificate misuse, and improve certificate lifecycle management.
Why Did the CA/Browser Forum Reduce SSL Certificate Lifespans to 47 Days?
In a unanimous 25-0 vote, the CA/Browser Forum - the industry group governing SSL/TLS standardsโhas mandated that all publicly trusted certificates must expire after just 47 days by 2029. This dramatic reduction (from todayโs 90-day limit) aims to combat rising cyber threats by forcing faster certificate rotations.
Hereโs the phased timeline and what it means for your organization:
|
Effective Date |
Maximum Certificate Lifespan |
Domain Validation (DCV) Period |
|
March 15, 2026 |
200 days |
200 days |
|
March 15, 2027 |
100 days |
100 days |
|
March 15, 2029 |
47 days |
10 days |
3 Key Reasons SSL/TLS Certificate Lifespans Are Shrinking to 47 Days
The 47-day SSL/TLS certificate lifespan reduction until 2029 serves three essential cybersecurity objectives.
1. Reducing Attack Windows
SSL/TLS certificate validity periods now last only 47 daysย instead of 90 days to reduce the time hackers can use stolen or compromised certificates. Theย 47-day certificate validity period creates a time restriction that limits attackers to using system vulnerabilities for less than half ofย their previous attack duration.
2. Forcing Automation Adoption
The process of manual certificate administration becomes insufficientย to handle certificate renewals with 47-day validity periods. The new policy demands organizations to adopt automatedย certificate management tools which include:
- ACME protocols (Letโs Encrypt, Certbot)
- Cloud PKI services (AWS ACM, Azure Key Vault)
The document uses bullet points to enable readers to quickly scanย specific information.
3. Enforcing Zero Trust Security
Starting from 2029 all organizations must implementย a 10-day Domain Control Validation (DCV) requirement as a mandatory requirement. The new requirementย includes three essential benefits:
- Frequent reconfirmation of domain ownership
- Prevention of hijacking and phishing attacks
- Alignment with "never trust, always verify" Zero Trust principles
SSL/TLS Certificate Lifespan Reduction: Full Phase-Out Timeline (2024-2029)
Theย CA/Browser Forumโs Ballot SC-081v3 mandates aย staged reductionย of SSL/TLS certificate lifespans, culminating in aย 47-day maximum validity by 2029.
Hereโs the official timeline:
|
Year |
Maximum Validity Period |
Key Change |
|
2024 |
90 days |
Current standard |
|
2025 |
70 days |
First reduction (-20 days) |
|
2027 |
60 days |
Prepares for final phase |
|
2029 |
47 days |
Final compliance deadline |
Impact on Businesses & Web Administrators: Key Challenges and Solutions
Organizations must adapt their digitalย security management because SSL/TLS certificates now have a maximum validity period of 47 days. The newย policy requires organizations to manage increased operational demands and implement mandatory automation systems and cost adjustments and misconfiguration risks. The solution involves using automated tools such as Certbot and HashiCorp Vault together withย CI/CD integration and proactive monitoring.
The following section outlines essential challenges along with practical solutions which apply to businessย operations and IT management.
1. Increased Operational Overhead
Challenge:
- The need for more regular renewals creates additional work for system maintenance.
- The shorter certificate validity period makes manual processes impractical for maintenance.
Solution:
- The implementation of automated workflows will decrease administrative workloads.
- Scheduled audits should be implemented to guarantee compliance.
2. Mandatory Automation Adoption
Challenge:
- The 47-day renewal period makes manual certificate management systems unable to function effectively.
Solution:
- Organizations need to use automated Certificate Management (ACM) tools that include Certbot and HashiCorp Vault.
- CI/CD pipelines should integrate with certificate rollover processes for smooth operations.
- The implementation of monitoring tools such as Nagios and Datadog will help prevent certificate expiration surprises.
3. Cost Implications
Challenge:
- Enterprises which manage thousands of certificates will probably need to spend more money because of the need for more frequent renewals.
Solution:
- Businesses should use free certificate authorities (CAs) such as Letโs Encrypt to minimize costs.
- The consolidation of certificates into unified management platforms will help organizations decrease their operational costs.
4. Risks ofย Misconfigurations & Failures
Challenge:
- The speed of certificate rotations elevates the chance of human mistakes such as overlooking renewal deadlines which results in system outages.
Solution:
- Automated fallback systems (e.g., backup certificates) should be implemented.
- Real-time alerting systems should notify teams about approaching certificate expiration dates.
Final Thoughts
SSL/TLS certificate lifespans with 47-day validity represent an essential cybersecurity development which drives the industry toward automated systems and stronger encryption standards and minimized attack vectors. Businesses that adopt automated certificate management will lead to both compliance demands and security threats because of thisย change.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
