47-day TLS certificates: are your renewal controls ready yet?

TL;DR: CA/B Forum policy will shorten public TLS certificate lifetimes from 398 days to 200 days in 2026, 100 days in 2027, and 47 days by 2029, compressing renewal windows and exposing manual lifecycle weaknesses, according to CyberArk. The real issue is not certificate duration itself, but whether identity governance can sustain continuous renewal, inventory, and ownership at machine scale.

NHIMG editorial — based on content published by CyberArk: TLS certificate lifetimes are shortening, and automation is the only scalable response

By the numbers:

• CA/B Forum policy will shorten public TLS certificate lifetimes from 398 days to 47 days by 2029.
• The first enforcement step in March 2026 will reduce maximum validity to 200 days.

Questions worth separating out

Q: How should security teams prepare for shorter TLS certificate lifetimes?

A: Security teams should inventory all public certificates, assign clear ownership, and automate discovery and renewal before the next validity reduction arrives.

Q: When does manual certificate renewal become a security risk?

A: Manual renewal becomes a security risk once the renewal cadence is too tight for spreadsheets, tickets, and ad hoc approvals to keep pace.

Q: What breaks when public TLS certificates are managed without automation?

A: What breaks first is consistency, then availability.

Practitioner guidance

• Map every public certificate to an owner and renewal path. Build a complete inventory of externally trusted certificates, then assign a named owner, renewal dependency, and escalation path for each one.
• Automate renewal before validity shortens again. Move public TLS renewal into a repeatable workflow that can handle discovery, policy checks, approval, and reissuance without manual ticket chasing.
• Measure renewal load against team capacity. Count the number of certificates renewed per month, the time required per renewal, and the proportion still handled manually.

What's in the full article

CyberArk's full research covers the operational detail this post intentionally leaves for the source:

• A renewal impact calculator that estimates the extra workload created by 47-day certificate lifecycles.
• A certificate automation readiness checklist for teams assessing current maturity and gaps.
• A white paper on certificate lifecycle change, CA distrust events, and cryptographic agility planning.
• A practical framework for scaling certificate governance across hybrid and multi-cloud environments.

👉 Read CyberArk's analysis of the 47-day TLS certificate lifecycle shift →

47-day TLS certificates: are your renewal controls ready yet?

Explore further

View Full Forum →  |  NHI Foundation Course →