47-day TLS certificates: what IAM and security teams need now

TL;DR: The CA/Browser Forum’s move from 398-day to 47-day TLS certificate lifespans will multiply renewal pressure and make manual certificate operations untenable for financial services, according to Keyfactor. The governance issue is bigger than renewal speed: certificate visibility, ownership, and rotation discipline become board-level identity controls when machine identities outnumber human ones.

NHIMG editorial — based on content published by Keyfactor: The Case for Certificate Automation in the 47-Day Era

By the numbers:

• In 2025, the CA/Browser Forum approved a staged reduction of TLS certificate lifespans from 398 days to just 47 days by 2029.
• When even one certificate expires, the cost is a staggering $5,600 per minute in lost revenue during outages.
• 69% of organisations now have more machine identities than human ones.

Questions worth separating out

Q: How should security teams handle certificate renewals when lifespans shrink to 47 days?

A: They should automate discovery, ownership, issuance, renewal, and revocation as a single lifecycle workflow.

Q: Why do short-lived TLS certificates create more operational risk for financial services?

A: Because certificates support authentication, transactions, and API trust, so every missed renewal can interrupt revenue-generating services.

Q: What breaks when certificate inventories are incomplete?

A: Automation becomes blind, because the system cannot renew or revoke what it cannot see.

Practitioner guidance

• Automate certificate discovery and ownership mapping Build a complete inventory of certificates across cloud, SaaS, DevOps, and partner integrations, and attach a named business owner to each trust path before renewal automation is expanded.
• Replace spreadsheet renewals with event-driven workflows Move renewal, rotation, and revocation into event-driven workflows that trigger before expiry, and add fallback paths for critical customer-facing systems where downtime is unacceptable.
• Tie certificate governance to audit evidence Record renewal timestamps, key management actions, third-party dependencies, and exception handling so compliance teams can prove control over the full lifecycle, not just the certificate count.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

• A practical view of how 47-day certificate lifecycles affect renewal cadence in financial services environments.
• The article's breakdown of operational resilience impacts across payments, authentication, customer onboarding, and API ecosystems.
• The source's guidance on certificate automation benefits, including renewals, rotations, revocations, and PQC preparation.
• The article's board-level framing for cryptographic visibility, audit readiness, and business continuity.

👉 Read Keyfactor's analysis of certificate automation in the 47-day era →

47-day TLS certificates: what IAM and security teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →