TL;DR: Shorter SSL/TLS certificate lifetimes are being positioned as a way to reduce compromise windows and force automation ahead of post-quantum cryptography, according to GlobalSign. The real issue is not the calendar change itself but whether PKI, rotation, and change-management processes can absorb frequent replacement without disruption.
NHIMG editorial — based on content published by GlobalSign: the shift to 47-day SSL/TLS certificates and what it means for PQC readiness
By the numbers:
- CA/B Forum voted in April 2025 to reduce certificate validity to 47 days by 2029.
Questions worth separating out
Q: How should security teams prepare for shorter certificate lifetimes in production environments?
A: Security teams should treat shorter certificate lifetimes as a lifecycle automation problem.
Q: Why do shorter certificate lifetimes matter for post-quantum cryptography readiness?
A: Shorter lifetimes matter because they rehearse the frequency and discipline needed for cryptographic migration.
Q: What breaks when certificate management is still handled manually?
A: Manual certificate management breaks first at scale and then at speed.
Practitioner guidance
- Build a complete certificate inventory Map every SSL/TLS certificate, issuing CA, renewal owner, deployment location, and application dependency, including certificates embedded in CI/CD pipelines and cloud services.
- Automate renewal before validity shortens further Replace ticket-driven renewals with automated issuance and replacement workflows so short-lived certificates can renew without outages or manual exceptions.
- Create a cryptographic migration runbook Document how your environment will move from classical algorithms to post-quantum options, including test plans, fallback procedures, and trust-store updates.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- The CA/Browser Forum rationale behind the 47-day timetable and how browser and CA policy changes drive the shift.
- The article's discussion of how shorter lifetimes support a smoother transition to post-quantum cryptography.
- The practical case made for automation as the only realistic way to manage frequent certificate renewal.
- The vendor's view of how shorter certificate validity changes organisational readiness for future cryptographic standards.
👉 Read GlobalSign's analysis of 47-day certificates and post-quantum readiness →
47-day certificates and PQC readiness: what changes for PKI teams?
Explore further
Shorter certificate lifetimes are a machine-identity governance shift, not just a PKI tuning exercise. Certificates function as non-human identities for workloads, services, and applications, which means lifespan changes alter access governance, not only renewal frequency. When validity contracts, the organisation is being pushed toward lifecycle discipline, ownership clarity, and automation. The practitioner takeaway is that certificate policy is now part of identity governance, not an isolated infrastructure setting.
A question worth separating out:
Q: Who is accountable for certificate rotation and cryptographic migration?
A: Accountability should sit with the service owner, supported by security, platform, and PKI teams. Certificate rotation is not just an infrastructure task, because it affects workload identity, application uptime, and future algorithm change. Governance works when ownership is explicit and the migration plan is part of normal operational control, not a one-off emergency project.
👉 Read our full editorial: Certificate lifetimes, cripto-agility, and the PQC transition