47-day TLS certificates: what this means for trust operations

TL;DR: WebPKI is moving toward 47-day TLS certificates and 10-day domain validation, forcing certificate renewals, validation, and resilience planning into a continuous operational model, according to DigiCert’s white paper preview of upcoming CA/Browser Forum changes. Manual certificate lifecycles are becoming a reliability risk, and automation now sits at the center of trust governance.

NHIMG editorial — based on content published by DigiCert: A Blueprint for the Next Generation of Digital Trust

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should security teams prepare for shorter TLS certificate lifetimes?

A: Security teams should treat shorter TLS lifetimes as an operational redesign problem, not a certificate refresh task.

Q: Why do shorter certificate lifetimes increase operational risk?

A: Shorter lifetimes compress the window for renewal, validation, and error recovery.

Q: What breaks when certificate validation workflows are too slow?

A: Slow validation workflows create bottlenecks that delay issuance and increase the chance of failed renewals.

Practitioner guidance

• Automate certificate renewal end to end Remove manual renewal steps from every high-volume certificate path and enforce issuance through a repeatable workflow that can complete before expiry without human intervention.
• Map every certificate to an accountable owner Assign ownership for each certificate population, including dependencies on domain validation, revocation checking, and distribution services, so failures are traceable before expiry events.
• Test validation and renewal at peak load Simulate renewal bursts, validation retries, and service outages to confirm that certificate operations still succeed when change volume spikes beyond normal conditions.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• The white paper's architecture outline for scaling issuance systems to higher throughput without creating new failure points.
• The vendor's description of multi-zone and multi-CDN delivery choices for certificate status and trust resilience.
• The post's preview of AI-accelerated validation and ACME-based renewal mechanisms that support shorter lifetimes.
• The post's discussion of post-quantum readiness in the trust stack and how it fits into the broader modernization plan.

👉 Read DigiCert's white paper on upgrading WebPKI for 10X scale →

47-day TLS certificates: what this means for trust operations?

Explore further

View Full Forum →  |  NHI Foundation Course →