Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

47-day certificate lifetimes: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: The CA/B Forum has approved a phased reduction in public SSL/TLS certificate validity to 47 days by 2029, with DCV reuse shrinking to 10 days by 2028, according to GlobalSign. The shift makes manual certificate handling increasingly untenable and turns automation, inventory, and lifecycle governance into core identity controls.

NHIMG editorial — based on content published by GlobalSign: the move to shorter SSL/TLS certificate lifetimes and its operational impact

By the numbers:

  • The CA/B Forum approved a phased reduction in public SSL/TLS certificate validity from 398 days to 47 days by 2029.
  • Domain control validation reuse will shrink from 398 days to 10 days by 2028.

Questions worth separating out

Q: How should security teams implement certificate automation in mixed environments?

A: Start with a full inventory of certificate-bearing systems, then group them by renewal method, ownership, and expiry criticality.

Q: Why do shorter certificate lifetimes matter for identity governance?

A: Shorter lifetimes matter because they reveal whether identity governance is actually operational or only documented.

Q: What breaks when certificate renewal is still handled manually?

A: Manual renewal breaks first at scale, then at speed.

Practitioner guidance

  • Map every certificate to an owner and service path Build a complete inventory of public and internal certificates, then attach each item to a named business owner, technical owner, and deployment location.
  • Automate issuance, renewal, and revocation together Do not automate renewal in isolation.
  • Segment public certificates from internal PKI exceptions Separate Internet-facing certificates that follow CA/B Forum timing from internal PKI assets that use different policies.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • A phased implementation timeline for the 398-day, 200-day, and 47-day certificate validity changes.
  • Comparisons of ACME, managed PKI, and internal PKI approaches for different infrastructure patterns.
  • Special-case handling for OV and EV certificates, including annual subject identity validation.
  • Practical guidance for non-browser clients such as VPNs, IoT devices, and legacy applications.

👉 Read GlobalSign's analysis of the move to 47-day SSL/TLS certificates →

47-day certificate lifetimes: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Certificate lifecycle is becoming an identity governance problem, not just a browser policy issue. Once validity windows fall to 47 days, teams that treat certificates as static infrastructure assets will lose operational control. The real challenge is proving ownership, enforcing renewal, and linking certificates to accountable workflows across human and machine identity programmes. Practitioners should manage certificates as governed identities with lifecycle states, not as background plumbing.

A question worth separating out:

Q: Who is accountable when certificate expiry causes an outage or exposure?

A: Accountability should sit with the service owner, security owner, and platform owner together, because certificate failure is usually a shared governance problem. Frameworks such as NIST SP 800-53 Rev 5 align well here, especially controls around access management, identification, authentication, and monitoring. Clear ownership prevents certificate risk from becoming everyone’s problem and therefore nobody’s job.

👉 Read our full editorial: Certificate lifetimes are shrinking to 47 days: IAM implications



   
ReplyQuote
Share: