Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

47-day TLS certificates: are your lifecycle controls ready?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: The CA/Browser Forum has approved a schedule that cuts TLS certificate lifetimes from 398 days to 47 days by 2029, while reusing validation data for just 10 days, according to DigiCert. Manual certificate operations will not scale, and lifecycle automation becomes the deciding control for reliability and trust.

NHIMG editorial — based on content published by DigiCert: TLS Certificate Lifetimes Will Officially Reduce to 47 Days

By the numbers:

Questions worth separating out

Q: How should security teams prepare for shorter TLS certificate lifetimes?

A: Security teams should treat shorter TLS lifetimes as a lifecycle automation project, not just a renewal-date change.

Q: Why do shorter certificate lifetimes increase operational risk before they reduce trust risk?

A: Shorter lifetimes reduce the time a stale certificate can remain in circulation, but they also compress the window for human action.

Q: What breaks when certificate lifecycle management is still manual?

A: Manual certificate management breaks when ownership, validation evidence, and renewal timing are spread across people and tools that do not share a single control plane.

Practitioner guidance

  • Inventory every production certificate and its owner Build a complete inventory that maps each certificate to a business owner, technical owner, renewal path, and dependency chain.
  • Automate issuance and renewal workflows Use policy-driven automation for certificate request, validation, issuance, and renewal so that production systems do not depend on manual revalidation before expiry.
  • Eliminate spreadsheet-based tracking Replace manual trackers with authoritative lifecycle tooling that can alert, renew, and audit certificate status across environments before validation windows close.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step interpretation of the 2026, 2027, and 2029 certificate lifetime changes for different certificate types
  • DigiCert's explanation of ACME, ARI, and certificate automation options for DV, OV, and EV workflows
  • The rationale behind Apple and CA/Browser Forum's revalidation timeline and why manual renewal becomes untenable
  • Practical commentary on how subscription pricing interacts with more frequent certificate replacement cycles

👉 Read DigiCert's explanation of the 47-day TLS certificate lifetime changes →

47-day TLS certificates: are your lifecycle controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Certificate lifecycle discipline is becoming a non-human identity control plane, not a back-office task. When TLS lifetimes drop from hundreds of days toward 47 days, certificate management stops being periodic maintenance and becomes continuous governance. That change matters because the operational unit is no longer the individual certificate, but the repeatable process that provisions, renews, and retires trust artifacts across environments. Practitioners should treat certificate governance as a core NHI lifecycle function, not a support function.

A few things that frame the scale:

  • 69% of organisations now have more machine identities than human ones, according to The Critical Gaps in Machine Identity Management report.
  • 61% rely on spreadsheets or manual tracking for machine identity management, which helps explain why tighter certificate lifetimes expose governance debt so quickly.

A question worth separating out:

Q: Which controls matter most when certificate validation reuse is shortened?

A: The most important controls are authoritative inventory, automated revalidation, and alerting that triggers before reuse windows expire. Teams also need exception handling for systems that cannot be changed quickly. Without those controls, validation data becomes stale faster than operators can safely rely on it.

👉 Read our full editorial: TLS certificate lifetimes fall to 47 days: automation becomes mandatory



   
ReplyQuote
Share: