Introduction
The validity period for publicly trusted SSL/TLS certificates is set to be significantly reduced, with a final target of 47 days by March 15, 2029. This change [1] [2] [4] [6] [7] [9] [10], supported by major industry stakeholders, aims to enhance online security and improve certificate management practices [4].
Description
The maximum validity term for publicly trusted SSL/TLS certificates will be significantly reduced from 398 days to 47 days, effective March 15, 2029 [3] [7] [8]. This pivotal change [2], supported by major industry players such as Apple, Sectigo [3] [4], the Google Chrome team [3], and Mozilla [3], has received unanimous backing from the CAB Forum. The decision underscores the necessity for enhanced online security, improved automation in certificate management [4] [6] [7] [8] [9], and a proactive approach to risk management in response to evolving cyber threats.
The reduction in certificate lifespan will occur in three stages: first, the maximum lifespan will decrease to 200 days by March 15, 2026; next, it will further drop to 100 days by March 15, 2027; and finally, by March 15, 2029 [1] [3] [4] [5] [6] [7] [8] [10], certificates will be capped at 47 days [1] [4] [6], necessitating a monthly renewal cadence [10]. Additionally, the Domain Control Validation (DCV) reuse period will decrease to just 10 days by 2029 [7] [10], requiring more frequent domain validation to ensure that only legitimate domain owners can request certificates [7]. This adjustment will increase the workload for PKI and IT teams, emphasizing the need for a robust Certificate Lifecycle Management (CLM) strategy [7].
Shorter lifespans for certificates are designed to limit the potential for man-in-the-middle attacks and phishing attempts by significantly reducing the window of opportunity for attackers. This change also addresses the risks associated with outdated information regarding domain ownership and organizational control. Current certificate revocation mechanisms are deemed insufficient [1], and the shift to shorter durations will lessen reliance on these methods. Furthermore, this move is seen as a proactive step toward addressing future challenges posed by quantum computing [1], facilitating quicker adoption of stronger cryptographic algorithms [1].
In 2023, the CAB Forum approved even shorter-lived certificates that expire within 7 days [8], eliminating the need for Certificate Revocation Lists (CRL) or Online Certificate Status Protocol (OCSP) support [8]. This change is expected to drive rapid adoption of automated Certificate Lifecycle Management tools and protocols like ACME, thereby reducing manual errors and promoting best practices within organizations [6]. As these new rules are phased in [9], certificate authorities [1] [2] [8] [9], security teams [2] [4], and IT administrators must rethink their strategies to accommodate the increased frequency of certificate renewals while maintaining operational efficiency [2]. Organizations will need to invest in automation [2], education [1] [2] [5] [6] [7] [9] [10], and process improvements to navigate this transition effectively [2], with certificate authorities playing a crucial role in supporting their customers through these changes [2]. The structure of the 47-day validity term includes 31 days for a maximal month, 15 days for half of a 30-day month [8], and 1 day of wiggle room [8], reinforcing the commitment to reducing risk and fostering a more resilient internet [2].
Conclusion
The impending reduction in SSL/TLS certificate validity periods will necessitate significant changes in how organizations manage their digital security infrastructure. By adopting shorter certificate lifespans [2], the industry aims to mitigate risks associated with cyber threats and outdated security information. Organizations must prepare for this transition by investing in automation and process improvements, ensuring they can efficiently manage the increased frequency of certificate renewals. This proactive approach will not only enhance security but also prepare the industry for future technological advancements, such as quantum computing [1] [4].
References
[1] https://cyberinsider.com/tls-certificate-lifespans-to-be-gradually-reduced-to-47-days-by-2029/
[2] https://securityboulevard.com/2025/04/the-future-of-digital-security-47-day-certificate-lifecycles-are-happening/
[3] https://nsaneforums.com/news/security-privacy-news/ssltls-certificate-lifespans-reduced-to-47-days-by-2029-r28733/
[4] https://www.sectigo.com/resource-library/sectigo-cab-reduce-ssl-tls-certificates-lifespan-47-days
[5] https://securityonline.info/ssl-certificate-validity-reduced-to-47-days-after-apple-proposal/
[6] https://www.infosecurity-magazine.com/news/digital-certificate-lifespans-fall/
[7] https://www.appviewx.com/blogs/its-official-ca-b-forum-votes-yes-to-47-day-tls-certificates/
[8] https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days
[9] https://siliconangle.com/2025/04/14/ssl-tls-certificate-lifespans-reduced-47-days-2029-new-industry-standard/
[10] https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html
