47-day TLS certificates and the automation gap teams must close

TL;DR: Apple’s proposed CA/Browser Forum changes would shorten TLS certificate lifetimes to 47 days by 2029 and compress validation reuse windows far faster, making manual certificate operations unsustainable according to DigiCert. The practical shift is from certificate tracking to full lifecycle automation, because outage risk rises when request, validation, and installation still depend on people.

NHIMG editorial — based on content published by DigiCert: 47 Days: The New Certificate Lifetime Proposed by Apple

By the numbers:

• The current maximum lifetime of a TLS certificate is 398 days.
• As of March 15, 2029, TLS certificate lifetime SHOULD not exceed 46 days and MUST not exceed 47 days.
• Validation reuse for domain name and IP address validation MUST not exceed 10 days as of March 15, 2029.

Questions worth separating out

Q: How should security teams prepare for shorter TLS certificate lifetimes?

A: Security teams should treat shorter TLS certificate lifetimes as an automation project, not a reminder problem.

Q: Why do shorter validation reuse windows create governance risk?

A: Shorter validation reuse windows create governance risk because they force organisations to reprove identity more often while existing records may still appear current.

Q: What breaks when certificate management stays manual?

A: Manual certificate management breaks first at scale, then at the edges.

Practitioner guidance

• Inventory every certificate and owner Build a live certificate register that includes application owner, issuing CA, installation target, expiry date, and renewal method.
• Automate request-to-install workflows Use policy-driven automation for certificate request, validation, issuance, and installation so renewals do not depend on manual ticket handling.
• Shorten validation evidence freshness checks Track the age of domain and organisational validation data alongside certificate expiry so reuse windows do not silently exceed policy.

What's in the full article

DigiCert's full article covers the operational detail this post intentionally leaves for the source:

• The phased timeline for certificate lifetime and validation reuse changes across 2026, 2027, and 2029
• The specific certificate request, validation, and installation steps that teams should automate first
• The ACME protocol and lifecycle management capabilities DigiCert cites for scaling certificate operations
• The practical impact on organizations that still rely on manual certificate tracking and renewals

👉 Read DigiCert's analysis of Apple's proposed TLS certificate lifetime changes →

47-day TLS certificates and the automation gap teams must close?

Explore further

View Full Forum →  |  NHI Foundation Course →