TLS Certificates Validity Trend
Remember when SSL certificates used to last three whole years? Then came the drop to one year. Painful, right? Well… brace yourself. By 2029, your SSL/TLS certificates will only last 47 days. Yes, just 47 days, and no, this isn't a drill, and now the certificate expires eight times faster.
This change is official. It's not speculation. It's not a tech blog rumor. It's CA/B Forum approved, backed by the same group that sets the global standards for web security. And it's going to impact everyone, whether you're running a personal blog, an eCommerce empire, a small startup, or a global enterprise.
The shorter lifespan of certificates improves security, reduces vulnerability, and promotes the adoption of automation certificate lifecycle management.
Road to Shorter Lifespans
If you're wondering how we ended up staring down the barrel of a 47-day certificate lifespan, let's rewind the tape. This didn't happen overnight. It's been a slow (but deliberate) countdown to zero. Well,… not zero, but pretty close.
Let's walk through the highlights that brought us here:
Before 2015
SSL/TLS certificates lived large. Before 2015, an SSL/TLS certificate had a 5-year lifetime. You have to renew it after five years. But then… things changed.
2015
In 2015, the 5-year lifetime of an SSL/TLS certificate was changed to 3 years. The CA/Browser (CA/B) Forum stepped in and trimmed the maximum certificate lifespan down.
2018
In 2018, the SSL/TLS lifespan further degraded, and now it has a valid 3-year time period after which it will expire.
March 2020
In March 2020, the lifespan dropped again, this time to 398 days (just over 13 months).
That meant annual renewals became the new normal, and the industry felt it.
Apple Wants 45 Days, But Google Says 90
Then Apple dropped a bomb: they proposed that certificates should last just 45 days. Google, a bit more lenient, floated 90 days instead. The message was clear: automation is the future.
CA/B Forum Drama
This wasn't some overnight, backroom decision. Nope. The move to 47-day certificates didn't just happen it was the result of intense discussions, heated debates, and careful planning inside the CA/Browser Forum (CA/B).
After the voting, they decide the maximum lifespan of new SSL/TLS certs to just 47 days by March 15, 2029.
The CA/Browser Forum (CA/B Forum) is an industry consortium of Certificate Authorities (CAs) and browser vendors that sets security standards and best practices for digital certificates used on the internet, especially SSL/TLS certificates.
Think of it like a high-stakes roundtable with the world's most powerful players in web security:
- Certificate Authorities (CAs)
- Browser giants like Google, Apple, and Mozilla
- Security leaders who eat threat vectors for breakfast
The recent vote on shorter Certificate lifetimes passed, and the verdict Majority approved in favour of it with the votes 25-0 for the proposal and five abstentions. The 47-day revolution was officially greenlit.
Why Shorter Certificate Lifespans?
The single-word answer is Risk. Here's what the CA/B Forum knew (and you should too):
Shorter Certificate Lifespans = Smaller Attack Windows
The logic is simple but powerful:
- If a certificate gets compromised, it can now be retired faster.
- Short-lived certs limit the blast radius of any potential breach.
- You're not trusting a certificate for a year anymore, just a few weeks. That's like turning a 12-month lease into a short Airbnb stay: lower commitment, less risk.
And with automation tools now widely available, renewals aren't the nightmare they once were. In fact, this change aligns beautifully with the Zero Trust model where nothing is trusted for too long, and everything must continuously prove itself.
The Timeline That Matters
This isn't a one-and-done update. It's a strategic phase-out of long-lived SSL certificates and it's going to change how you manage your security infrastructure. So, if you're not automating yet… you're going to feel the heat.
| Timeframe (Certificates Issued After) | Maximum Certificate Validity | Domain Control Validation (DCV) Re-Use Period | Impact |
| April 2025 (currently) | 398 days | 398 days | |
| March 15, 2026 | 200 days | 200 days | 2X today's workload (Renewals 2X per Year) |
| March 15, 2027 | 100 days | 100 days | 4X today's workload (Renewals 4X per Year) |
| March 15, 2029 | 47 days | 10 days | 8X today's workload (Renewals 8 – 12X per Year) |
Responce of DigiCert and Sectigo?
Let's be honest… 47-day certificates sound like a nightmare unless you've got the right tools on your side. The good news? The biggest Certificate Authorities (CAs) are already ahead of the curve. Here's how DigiCert and Sectigo are preparing you for the future.
DigiCert: Automate Everything, Stress Nothing
DigiCert isn't sweating the 90-day or even 47-day revolution. Why? Because they've been preparing for this moment for years with an automation-first mindset.
Here's what they're doing:
- Trust Lifecycle Manager handles issuance, renewal, and revocation so your team doesn't burn out clicking “Renew” every few weeks.
- Already supports 90-day certs, with full support for 47-day expected well before 2029.
- Built for enterprises scaling across hybrid cloud, on-prem, and multi-region environments.
Sectigo: Get Full Visibility over all your Digital Certificates
Sectigo also follows the path of DigiCert. Sectigo knows shorter lifespans mean more churn, so they're doubling down on automation, too.
- Sectigo Certificate Manager (SCM) is a beast of a tool that simplifies cert management across DevOps, IoT, and hybrid cloud.
- 90-day certs? Already handled.
- 47-day support? Actively being baked in, with seamless rotation mechanisms in the works.
This change is not optional. By 2029, certs will last just 47 days. That means 8–12 renewals every year.
Keep Reading - https://certera.com/blog/ca-b-approved-47-day-ssl-tls-validity-by-2029-how-to-prepare/