47-day TLS certificates: are your lifecycle controls ready?

TL;DR: The CA/Browser Forum has approved a schedule that cuts TLS certificate lifetimes from 398 days to 47 days by 2029, while reusing validation data for just 10 days, according to DigiCert. Manual certificate operations will not scale, and lifecycle automation becomes the deciding control for reliability and trust.

NHIMG editorial — based on content published by DigiCert: TLS Certificate Lifetimes Will Officially Reduce to 47 Days

By the numbers:

• From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.
• As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.
• As of March 15, 2029, the maximum period during which domain validation information may be reused is 10 days.

Questions worth separating out

Q: How should security teams prepare for shorter TLS certificate lifetimes?

A: Security teams should treat shorter TLS lifetimes as a lifecycle automation project, not just a renewal-date change.

Q: Why do shorter certificate lifetimes increase operational risk before they reduce trust risk?

A: Shorter lifetimes reduce the time a stale certificate can remain in circulation, but they also compress the window for human action.

Q: What breaks when certificate lifecycle management is still manual?

A: Manual certificate management breaks when ownership, validation evidence, and renewal timing are spread across people and tools that do not share a single control plane.

Practitioner guidance

• Inventory every production certificate and its owner Build a complete inventory that maps each certificate to a business owner, technical owner, renewal path, and dependency chain.
• Automate issuance and renewal workflows Use policy-driven automation for certificate request, validation, issuance, and renewal so that production systems do not depend on manual revalidation before expiry.
• Eliminate spreadsheet-based tracking Replace manual trackers with authoritative lifecycle tooling that can alert, renew, and audit certificate status across environments before validation windows close.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step interpretation of the 2026, 2027, and 2029 certificate lifetime changes for different certificate types
• DigiCert's explanation of ACME, ARI, and certificate automation options for DV, OV, and EV workflows
• The rationale behind Apple and CA/Browser Forum's revalidation timeline and why manual renewal becomes untenable
• Practical commentary on how subscription pricing interacts with more frequent certificate replacement cycles

👉 Read DigiCert's explanation of the 47-day TLS certificate lifetime changes →

47-day TLS certificates: are your lifecycle controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →