Over the years, I’ve watched as SSL / TLS certificate validity periods have steadily shortened, each change pushing us toward stronger security practices. Now, with the Certificate Authority/Browser (CA/B) Forum’s latest decision to reduce certificate lifespans to just 47 days by 2029, we’re standing at the edge of another major shift, one that will dramatically change how we manage and maintain certificates moving forward.
What’s Changing?
Right now, public SSL / TLS certificates max out at 398 days. But in April 2025, Apple’s proposal to reduce this gradually down to 47 days was officially adopted by the CA/B Forum, with all four major browser vendors—Apple, Google, Mozilla, and Microsoft—voting in favor.
This also includes a reduction in the Domain Control Validation (DCV) reuse period, which will drop to just 10 days by March 2029. That means organizations will need to validate domains more frequently tightening the timeline across the entire certificate lifecycle.
The dates for implementation are as follows:
Why This Matters for IT Teams
If you manage certificates today, you know this shift isn’t just about security—it creates real operational challenges. The bottom line? Shorter certificate lifespans mean more frequent renewals, and if your team is still managing certs manually, you’re in for a tough time.
Talk through your challenges with our team today
Security Implications of Shorter Certificate Validity
The reduction of SSL / TLS certificate validity periods from 398 days to 47 days has several significant implications for web security:
- Reduced attack surface: Shorter lifespans mean less time for compromised certificates to be exploited.
- Improved security posture: Frequent renewals ensure certificates use the latest standards and configurations.
- Supports zero-trust principles: Regular renewals ensure trust is continuously validated.
But the operational impact can’t be ignored...
The Operational Challenge for IT Teams
While the security benefits of shorter certificate validity periods are the main driver for this shift, they also present significant operational challenges.
- More frequent renewals: Tracking and renewing certs every 47 days isn’t feasible without automation.
- Risk of human error: Manual processes are prone to missed renewals, outages, and compliance gaps.
- Higher resource demand: IT teams may need to allocate more staff, training, or tools to keep up.
- Impact across all businesses: Whether you're a large enterprise or a Small Medium Business (SMB), managing this shift requires a scalable approach.
The Next Steps: Getting Prepared for 47 Day Validity
2029 might seem a long way off, but there are important changes coming well before then. Being proactive now will help you avoid costly outages or last-minute scrambles.
It’s not just about shorter validity—it’s about modernizing how you manage certificates overall. Here’s how to start:
1. Get Visibility with a Certificate Inventory Audit
Make sure you know where all your certificates are. Gaps in your inventory create risk. Tools like Atlas Discovery can help provide a clear view of your certificate landscape.
2. Define Certificate Policies and Workflows
If you haven’t already, create a centralized policy that covers certificate issuance, renewal, revocation, and access control. Standardizing workflows helps teams coordinate and reduces inconsistencies across environments.
3. Adopt Automation Based on Your Needs
Look at what your infrastructure can support today, and what you'll need as certificate volumes grow. Whether you’re starting with ACME or moving toward a fully managed Public Key Infrastructure (PKI) solution, automation is essential for staying on top of renewals.
⚠️ Just a note: ACME is a great start for automating SSL / TLS issuance and renewal, but it’s not a complete lifecycle management solution. If you need end-to-end visibility, reporting, and policy enforcement, you’ll want a more advanced tool.
4. Monitor and Report Continuously
Use monitoring and alerting to stay ahead of expiring certificates and policy violations. Reporting is also key for audits, ISO compliance, and internal accountability.
5. Train Your Teams
Make sure your team understands the upcoming changes, and the tools and processes in place to support them. Awareness reduces errors—and helps everyone move faster.
Real-World Example: Micheldever Group Ltd
“The reason why we chose the ACME Solution was generally because of the way we can automate the renewal process.” Kevin Gosney, Infrastructure Engineer
As their Infrastructure Engineer Kevin Gosney explains, they needed a trusted PKI partner to support automation. By implementing ACME, they were able to issue, install, and renew certificates automatically minimizing manual work and maintaining compliance despite the shorter renewal cycle.
That’s a great step for smaller teams. But for larger enterprises with complex infrastructure, you’ll likely need something more robust.
Finding the Right Automation Solution
Your infrastructure, team size, and certificate volumes will shape the right solution for you.
- For some, a Managed PKI platform provides the visibility and control they need.
- For others—especially large enterprises—a tool like Certificate Automation Manager may be more appropriate to support large-scale, multi-domain environments.
Regardless of where you’re starting, the goal is the same: act now to reduce risk, avoid outages, and get ahead of the curve before the 47 day requirement becomes the norm.
Managing certificates doesn’t need to be a headache. Whether you’re looking to audit your current inventory, automate renewals, or deploy a full lifecycle management solution, we’re here to help.
Editor’s Note: This blog was originally published on October 16th 2024 but has since been updated to reflect industry changes and new insights.
