TLS Certificates Now Last Only 47 Days — Here’s What It Means for Your Business

Read full article from CyberArk here: https://www.cyberark.com/resources/all-blog-posts/47-day-tls-certificates-whats-changing-and-how-to-prepare/?utm_source=nhimg

The world of digital trust is about to change forever. Beginning in March 2026, the validity of public TLS certificates will shrink dramatically — first

to 200 days, then 100 days, and ultimately 47 days by March 2029. This shift, led by the CA/Browser Forum, marks one of the most significant

changes in modern cybersecurity and digital identity management in over a decade.

Why the 47-Day TLS Certificate Mandate Matters

For years, organizations relied on long-lived TLS certificates that lasted more than a year, allowing manual renewals and predictable maintenance

cycles. But as certificate lifespans shrink, renewal volumes will surge by more than 12x, creating an unprecedented operational challenge.

Manual tracking through emails, spreadsheets, or ticketing systems simply won’t scale. Already, 83% of enterprises report experiencing at least

one certificate-related outage — a figure likely to skyrocket under the new regime.

Missed renewals won’t just cause outages; they’ll lead to compliance failures, security exposures, business disruptions, and reputational damage.

The question every CISO and DevSecOps leader must now ask:

“Can your organization maintain digital trust when certificates expire almost as quickly as they’re issued?”

The Security Logic Behind Short-Lived Certificates

Despite the operational burden, the shortened lifespan has strong security benefits. Short-lived TLS certificates reduce the window of exploitation

for compromised private keys, limiting attacker dwell time. They also accelerate adoption of quantum-resistant encryption and emerging

cryptographic standards by forcing earlier rotations.

In addition, shorter lifespans improve global certificate hygiene — enabling faster transitions when certificate authorities (CAs) are distrusted or

new policies are introduced, strengthening the entire trust ecosystem.

The Cost of Falling Behind

Organizations that fail to adapt risk more than downtime.

• Outages increase: Even one expired certificate can bring down business-critical systems.
• Costs rise: Manual renewals and incident response drain resources.
• Audits fail: Missing proof of lifecycle control leads to compliance gaps.
• Reputation declines: Publicized outages erode customer trust and brand credibility.

With renewal cycles shrinking to weeks, the margin for human error disappears — making automation and continuous visibility an absolute necessity.

How to Prepare: The 47-Day Certificate Automation Playbook

CyberArk’s 47-Day Certificate Automation Playbook provides a clear roadmap for readiness, helping enterprises shift from reactive firefighting to proactive certificate lifecycle management. It focuses on four key steps:

1. Discover and assess all public TLS certificates – Build a complete inventory to identify risks and unmanaged certificates.
2. Assign ownership and enforce consistent policy – Define accountability to prevent orphaned or untracked certificates.
3. Automate renewals at scale – Replace manual processes with automation tools that ensure timely, error-free renewals.
4. Monitor, report, and prove compliance – Maintain real-time visibility and demonstrate lifecycle control to auditors.

Building Long-Term Readiness

The playbook also introduces a TLS Maturity Model, helping teams benchmark their current state, align executives on priorities, and measure

progress toward full automation.

Readiness requires collaboration between security, infrastructure, and operations teams, investment in automation, and continuous reporting.

Those who act early will not only comply with the mandate but also achieve faster cryptographic agility, stronger machine identity management,

and enhanced Zero Trust resilience.

The Future of Digital Trust

The transition to 47-day certificates isn’t merely a compliance deadline — it’s a strategic inflection point for identity security. Automation, visibility,

and lifecycle discipline will define which organizations maintain trust and uptime in a world where certificates expire every month.

To prepare, organizations can access CyberArk’s 47-Day Certificate Automation Playbook, run the free 47-Day Readiness Scan, and explore the

Digital Trust Resource Hub for expert frameworks and best practices.

The future of digital trust is short-lived — and only automated, AI-driven identity management can sustain it.