The CA/Browser Forum has officially approved a significant change that will affect the entire SSL/TLS ecosystem: the maximum validity of public TLS certificates will be shortened to 47 days by March 15, 2029.
This update is part of a broader industry effort to improve digital security standards and reduce certificate-related vulnerabilities. As your trusted digital solution provider, WebNIC is here to help you prepare for this shift with the right tools and guidance.
Overview of the Change
The upcoming certificate lifespan reduction will take place in three key phases:
|
Effective Date
|
New Maximum Certificate Validity
|
|---|---|
|
March 15, 2026
|
200 days
|
|
March 15, 2027
|
100 days
|
|
March 15, 2029
|
47 days
|
In addition, starting March 2029, the reuse period for Domain Control Validation (DCV) will be shortened to 10 days, down from the current 30 days.
Validation Reuse Periods Are Also Being Shortened
In addition to the reduction in TLS certificate lifespans, the reuse period for domain, IP address, and identity validation information is also being shortened over the coming years. This will impact how often validations must be performed when issuing new certificates.
Simulating molecules and chemical reactions at the quantum level can lead to breakthroughs in developing new drugs, materials, and vaccines.
Domain and IP Address Validation Reuse Timeline
|
Effective Date
|
Maximum Reuse Period
|
Applies To
|
|---|---|---|
|
Until March 15, 2026
|
398 days
|
Domain and IP address validation
|
|
As of March 15, 2026
|
200 days
|
Domain and IP address validation
|
|
As of March 15, 2027
|
100 days
|
Domain and IP address validation
|
|
As of March 15, 2029
|
10 days
|
Domain and IP address validation
|
Why 47 Days?
The number 47 days might appear unusual at first glance, but it follows a deliberate pattern established by the CA/Browser Forum. This final validity period is a result of a cascading reduction approach designed to align with calendar-based management while ensuring enhanced security through more frequent validations.
Here’s how the reduction timeline breaks down:
Target Validity | Break Down |
200 days | 6 maximal month (184 days) + 1/2 30-day month (15 days) + 1 day wiggle room |
100 days | 3 maximal month (92 days) + ~1/4 30-day month (7 days) + 1 day wiggle room |
47 days | 1 maximal month (31 days) + 1/2 30-day month (15 days) + 1 day wiggle room |
Why This Change Matters
Shorter certificate lifespans are being introduced to:
- Strengthen security by reducing the window of exposure in case of certificate compromise
- Encourage automation for certificate management and renewal
- Improve certificate hygiene by limiting long-standing outdated or misconfigured certificates
While this change enhances overall internet security, it also introduces operational challenges for website administrators, businesses, and certificate resellers.
Will Frequent Replacements Cost More?
As a registrar working closely with certificate authorities, one of the most frequent questions we receive from customers is:
“Will shorter certificate lifespans result in higher costs?”
The good news is — no, it won’t.
TLS certificates will continue to follow an annual subscription model, regardless of how frequently a certificate is reissued during that term. In other words, you are not charged per certificate issuance, but rather for the subscription period. Whether you issue one certificate or renew it every 47 days under automation, the cost remains the same.
In fact, what we’ve seen in practice is that organizations that implement automation often choose to renew their certificates more frequently, not because they’re required to, but because the process is seamless and enhances security posture.
Why Automation Will Become Essential
With certificate validity set to reduce to 100 days by 2027 and 47 days by 2029, manual certificate management will become unsustainable. Shorter lifespans reduce the margin for error, making it easier for expiration oversights to occur — potentially leading to service disruptions, security warnings, and loss of trust.
As a result, we anticipate that automation will become the default approach for SSL/TLS management well before 2029.
Major industry players, including Apple, have already endorsed automated certificate lifecycle management as a best practice. Fortunately, the tools needed to make that shift are already available and enterprise-proven.
Automation Solutions from DigiCert
As a trusted DigiCert platinum partner, WebNIC provides access to robust automation tools that help you manage SSL/TLS certificates more efficiently and securely.
DigiCert Trust Lifecycle Manager (TLM)
A unified platform that simplifies end-to-end certificate lifecycle management.
Key features:
- Automated renewals, reissuance, and revocation
- Centralized visibility and real-time monitoring
- Built-in policy enforcement and compliance tracking
CertCentral with ACME Protocol Support
Ideal for DevOps and high-volume environments, CertCentral enables:
- Automated issuance of DV, OV, and EV certificates
- Support for ACME Renewal Information (ARI) to signal preferred renewal windows
- Seamless integration with your infrastructure and DevOps pipelines
Looking Ahead
The move to shorter TLS lifespans represents a significant step forward in digital security, but it also brings operational challenges. For businesses managing multiple domains, especially at scale, now is the time to modernize.
At WebNIC, we are committed to helping our partners transition smoothly and efficiently. Our platforms, tools, and team are fully equipped to ensure your certificate operations stay secure, scalable, and future-proof.
To explore automation options or speak with a WebNIC expert, get in touch with us.