Understanding the New 47-Day Certificate Lifespan
The CA/Browser Forum, the organisation that sets the standards for digital certificates, has approved a significant reduction in certificate lifespan. It will be shrinking it from 398 days down to a maximum of 47 days by 2029.
The transition will begin on March 15, 2026, when certificates will be limited to a maximum of 200 days. The final reduction to 47 days will become mandatory on March 15, 2029.
This phased-in approach gives organisations time to adapt. By the time the 47-day deadline hits, your team should be ready to handle the increased renewal frequency.
Why the Shift to Shorter Lifespans?
Why is the change happening? In short, it’s all about staying one step ahead of a constantly evolving digital threat. Key players in the industry, like Apple and Sectigo, have been pushing for this for years.
The rationale is simple:
- Minimising risk: Shorter lifespans mean a smaller window for compromised keys to be exploited. If a key is stolen, the attacker only has 47 days to use it before the certificate expires, significantly reducing the potential for long-term damage. This is especially critical as quantum computing poses a future threat to our current cryptographic systems.
- Faster fixes: If a certificate is misissued or misconfigured, it can be identified and corrected much faster. This ensures certificates always align with current domain ownership, preventing potential exploitation.
- Promoting agility: The need for more frequent renewals forces organisations to adopt stronger, more modern cryptographic algorithms. This "crypto agility" ensures the entire digital ecosystem can quickly respond to new threats.
- Upholding trust: More frequent revalidation and updates show users that you take security seriously. Boards and auditors are also increasingly pressuring companies to adopt solutions that keep them compliant and secure.
The Challenge: A Massive Increase in Workload
With certificates expiring nearly 12 times more often, the operational load on IT teams will skyrocket. Manually renewing certificates every 47 days is not feasible and dramatically increases the risk of human error.
Just one missed renewal could lead to a site outage, loss of customer trust, and financial impact. We’ve seen high-profile examples of this, with companies like GitHub and Spotify suffering service disruptions from expired certificates.
A centralised policy is crucial for managing this change, but the real key to success is SSL automation.
The Solution: Automated Certificate Management
For organisations with hundreds or even thousands of certificates, automation isn't just a nice-to-have, it’s a necessity. Automated certificate lifecycle management (CLM) streamlines the entire process, ensuring you stay secure, compliant, and operational.
An automated solution will:
- Track everything: Automatically monitor expiration dates and track all your certificates across every domain, so nothing gets missed.
- Prevent outages: Send out alerts about impending expirations and facilitate timely renewals to prevent service disruptions.
- Ensure scalability: Provide comprehensive, scalable coverage for all your machine identities, no matter how complex your environment.
- Reduce human error: Take the manual work out of renewals, freeing up your team to focus on more strategic security initiatives.
As the industry moves toward shorter lifespans, automation is the only way to effectively manage the increased workload and maintain a robust security posture.
Discussions and Comments
Click here to view and join in on any discussions and comments on this article.
