SSL/TLS certificates on the way to 47 days: the new calendar that redefines web security until 2029

SSL/TLS certificates on the way to 47 days: the new calendar that redefines web security until 2029

ByEthan Collins

If today it already seems tiresome to keep track of when SSL/TLS certificates expire, what comes from 2029 is another level: The maximum lifespan will drop to only 47 days. It is not a rumor or a crazy idea from a specific company, but a decision approved in the CA/Browser Forumthe “club” where the main certification authorities and the big browsers sit.

The official idea is to reinforce security, but the change will force many companies to review from top to bottom how they manage their certificates.

Where does the change come from and what is pursued?

Here we are not talking about a new law or a government imposition. The move comes from the CA/Browser Forum, the group in which the large ACs (DigiCert, GlobalSign, Sectigo, etc.) along with Chrome, Firefox, Safari or Edge teams.

Apple was the one who set the ball rolling by proposing to drastically shorten the validity of the certificates. Then other voices from the sector joined in until the vote went ahead, without direct opposition.

On paper, the goals are quite reasonable:

  • Reduce the time in which certificate data can become out of date.
  • Minimize the window in which a compromised certificate remains valid.
  • Push the industry towards automation and reduce the typical errors of “our certificate has expired and no one noticed.”

The theory fits: shorter certificates, less exposure. Another thing is how that lands in organizations with hundreds of different services and teams.

The new calendar: from the long year to the month and a half

Until now, the limit of public server certificates was around 398 days. It is not eternal youth, but it gives some margin to plan renovations calmly.

With the agreement approved, a transition period is entered with several key dates:

  • March 15, 2026 – Maximum certificate life: 200 days – Domain Control Verification (DCV) validity: 200 days.
  • March 15, 2027 – Maximum life: 100 days – DCV: 100 days.
  • March 15, 2029 – Maximum life: 47 days – DCV: 10 days.

In practice, It means that we went from a little more than a year to a little more than a month and a half. And, furthermore, the proof that you really control the domain will have to be renewed with a ridiculous frequency seen from the current model.

More security, yes; more operating pressure, too

On a small website hosted by a provider that already automates certificates, the user will hardly even notice. But the movie changes when we talk about:

  • Companies with many domains and subdomains distributed across the Internet.
  • Hybrid environments in which there are certificates on web servers, balancers, firewalls, mail appliances, internal APIs, payment gateways, etc.

Today we already see expired certificates on the pages of public organizations, banks or large companies. With a validity of 47 days, continuing to use manual renewals, notification emails and spreadsheets is playing with fire.

Automation is no longer optional

The underlying message of the change is quite clear: The “someone writes the date on the calendar and gets busy” model is dead.

To survive in a world of ephemeral certificates you need:

  • Use automation protocols like ACMEpopularized by Let’s Encrypt and already supported by many commercial CAs.
  • Take advantage of cloud services that integrate issuance and automatic renewal for the resources they host.
  • Adopt centralized certificate management platformsdiscover lost assets, monitor expirations and orchestrate renewals without going server by server by hand.

What should you start doing now?

Although the date of the big cut is 2029, the first snip comes in 2026. Three years seems like a long time, but for a large organization it is tomorrow morning. It makes sense to prepare the ground with very specific steps:

Take real inventory

Know how many certificates there are, who issues them, where they are installed and when they expire. What you don’t see, you can’t automate.

Reduce supplier dispersion

The fewer different issuers, the fewer variations to manage and the fewer surprises in the renewal processes.

Start trying ACME and similar

You don’t need to migrate everything at once, but you should start with less critical services to ensure that the entire issuance and renewal cycle works without constant manual intervention.

Review internal change processes

If each certificate needs to go through a change committee that meets once a month, the current model is unsustainable with such short terms. More agile and, at the same time, well-documented procedures will be needed.

Put monitoring in conditions

Automatic alerts, centralized panels and notifications with room for reaction. With windows of weeks, it is not worth trusting anyone to remember.

A necessary discomfort… and an opportunity

From a security point of view, the move makes sense: If something breaks or is compromised, the certificate better have a short life. From the point of view of day-to-day business, it represents an additional headache that will force you to invest time, money and effort in tools and processes.

The good part is that it can serve as an excuse to put order in an area that many organizations have been improvising on the fly. Whoever takes advantage of this change to clean, unify and automate will emerge stronger. Anyone who continues to rely on manual tasks and email notifications will quickly discover that 47 days in production go by in a flash.

Ethan Collins
Ethan Collins

As a dedicated tech enthusiast and writer at IRC Junkie, I explore the latest innovations in software and hardware. With a background in computer science, I thrive on simplifying complex technological concepts for our readers. My goal is to inspire curiosity and understanding in the ever-evolving world of technology.