Key Takeaways
- Managing SSL certificates at scale requires automated renewal to prevent outages, reduce exposure, and stay ahead of the incoming 47-day validity lifecycle.
- Major browser vendors have unanimously backed the move to 47-day certificates, making this one of the most unified positions the CA/Browser Forum has ever taken.
- Shorter lifetimes limit the window attackers have to exploit a breach and force unmanaged certificates out of hiding before they become a liability.
- A certificate that expires every 47 days cannot be quietly forgotten. It either gets renewed or it stops working.
Shorter renewal cycles will surface gaps that longer validity periods have allowed to go unnoticed. - Visibility, automation, monitoring, governance, and scalability are the five areas organizations need to address before the first deadline hits.
Expired SSL certificates cause outages, break API connections, and erode customer trust. With validity periods shortening to just 47 days in the next few years, the volume of renewals is increasing faster than most teams can manage manually. Automating SSL certificate renewal is the most reliable way to eliminate that risk at scale.
Validity periods matter because a certificate that lasts too long is a security liability. Compromised keys can go undetected, outdated encryption can linger, and abandoned certificates can be exploited. Shorter lifetimes reduce that risk.
What Is the Maximum SSL Certificate Lifetime?
The current maximum validity period for an SSL certificate is 398 days, roughly 13 months. The extra days beyond 365 are simply a practical buffer, giving website owners time to renew before the old certificate expires.
This has been the industry standard since 2020, when Apple unilaterally enforced it through Safari, and the rest of the browser market followed. If a certificate is issued with a longer lifespan than 398 days, major browsers will reject it outright, regardless of which certificate authority issued it.
For now, 398 days is the ceiling. But that is changing fast. The industry is already moving toward significantly shorter lifetimes, and the timeline is more aggressive than most businesses realise.
What’s Coming Next: The Move to 47-Day Certificates
Apple’s Proposal and the CA/B Forum Vote
In 2025, Apple proposed dramatically reducing the maximum SSL certificate lifetime. The CA/Browser Forum, the industry’s governing body for certificate standards, voted to adopt it. All four major browser vendors, Apple, Google, Mozilla, and Microsoft, were in favour, making it one of the most unified positions the forum has ever taken. That level of consensus is rare and signals that this is not a proposal that will be walked back.
The proposal sets out a phased reduction in maximum certificate lifetimes, gradually bringing them down to just 47 days by 2029. The message from the browser vendors is clear: the era of long-lived certificates is over, and businesses need to start preparing for a world where certificates expire and renew far more frequently than they do today.
The Phased Reduction Timeline
The reduction does not happen overnight. The CA/Browser Forum has set out a staged timeline to give businesses and certificate authorities time to adapt. Maximum certificate lifetimes will drop to 200 days by March 2026, then to 100 days by March 2027, and finally to 47 days by March 2029. Each stage effectively forces organizations to renew certificates more frequently, with the end goal of a web where certificates are short-lived and continuously rotated.
The window to prepare is now. The staged timeline is not a reason to wait, it is an opportunity. Organizations still operating on longer renewal cycles have time to adapt gradually, and those that use it wisely will be far better positioned than those that wait for the 47-day deadline to force their hand.
Industry Pushback and Concerns
Not everyone welcomed the change. Many businesses, particularly those managing large numbers of certificates across complex infrastructure, raised concerns about the operational burden.
Renewing certificates every 47 days manually is not realistic at scale, and for organizations without automation already in place, the timeline feels aggressive. Certificate authorities also raised concerns about the cost and complexity of processing significantly higher volumes of renewals.
The practical reality is that most enterprise environments were not built with this frequency in mind. Security teams are already stretched, and adding a dramatically higher volume of renewal tasks to existing workloads without additional tooling is not sustainable.
The underlying concern is not whether shorter lifetimes are the right direction, but whether the infrastructure most businesses rely on today is anywhere near ready to support them.
Organizations still relying on manual renewal workflows will need to move quickly. Certificate automation is no longer an optional upgrade; for many teams, it is fast becoming a compliance requirement.
Why Shorter Certificate Lifetimes Improve Security
The push toward shorter certificate lifetimes is not simply a bureaucratic exercise. Shorter lifetimes have security benefits that touch on some of the most persistent vulnerabilities in how organizations manage their Public Key Infrastructure (PKI) today.
Reducing the Compromised Key Exposure Window
A private key is the cryptographic credential that proves a server is who it claims to be; if an attacker gets hold of it, they can impersonate your site or intercept encrypted traffic without triggering any visible warning. When a private key is compromised, the damage it can do is directly tied to how long the associated certificate remains valid and trusted.
A certificate with a year-long lifespan gives attackers an extended window to exploit a stolen key before it is rotated out. Shorter validity periods close that window. To reduce this risk, implement automated key rotation and enforce lifecycle policies that align renewal frequency with your organization’s threat exposure.
Even if a key is compromised, the certificate it belongs to will expire and be replaced far sooner, limiting the potential impact of any breach. For industries operating under strict compliance frameworks such as PCI DSS or HIPAA, that reduced exposure window also has direct implications for audit readiness and regulatory standing.
Limiting Stale and Orphaned Certificates
Large organizations frequently lose track of certificates. Systems are decommissioned, teams change, and documentation lapses. In multi-cloud environments, where certificates are scattered across AWS, Azure, and Google Cloud, the problem compounds quickly. The result is orphaned certificates that no one is actively managing. A Ponemon Institute study found that more than half of surveyed organizations had experienced a security incident or data breach tied to digital certificate compromise.
Shorter validity periods act as a natural forcing function. A certificate that expires every 47 days cannot be quietly forgotten; it either gets renewed or it stops working. That visibility, while operationally demanding, is precisely the point. It also creates a natural audit trail, giving security teams documented evidence of every renewal cycle across the organization.
As the industry transitions toward post-quantum cryptography, the ability to rotate certificates quickly will be essential. Getting ahead of it starts with knowing what you have, and certificate discovery is where that process begins.
Should You Switch to Shorter Certs Now?
Moving to shorter certificate lifetimes before they are mandated gives your team time to identify renewal gaps, build automation gradually, and resolve infrastructure issues on your own terms. The CA/Browser Forum’s staged timeline is deliberately paced because the industry knows this transition takes time.
NIST’s TLS certificate management guidance has long recommended treating certificate management as a formal program with executive accountability. The organizations that already operate that way will find this transition considerably smoother.
How to prepare for the industry shift
Preparing for shorter certificate lifetimes comes down to five key areas: visibility, automation, monitoring, governance, and scalability.
Achieve Complete Visibility Across Every Environment
Without a centralized inventory lending visibility across every cloud environment, exposure is inevitable. A certificate audit starts with discovery. That means scanning across domains, subdomains, internal systems, cloud environments, and any third-party services your infrastructure touches.
Many organizations find this process surfaces certificates they did not know existed, including expired ones sitting on forgotten servers. NIST SP 1800-16 identifies comprehensive certificate inventory and ownership tracking as the foundation of any effective certificate management lifecycle program. Automated certificate discovery makes this significantly faster and more reliable than manual scanning.
From Manual to Automated Renewals
Manual, calendar-driven renewal workflows will not hold up at 47-day cycles, and when they fail, services go down. Certificate automation removes the human dependency from the renewal process entirely, replacing helpdesk tickets with systems that monitor expiry dates, trigger renewals, and install new certificates without intervention.
For organizations managing hundreds or thousands of certificates across multiple environments, this is not a convenience, it is the only operationally viable path to compliance with shorter validity periods.
Never Miss an Expiry Again
Alerts need to reach the teams with enough lead time to act, because a missed notification should never become a downed service. Effective expiry monitoring means setting alerts weeks in advance, with escalating notifications if no action is taken. The right person receiving the right alert at the right time is what separates a routine renewal from an unplanned outage.
Monitoring needs to be centralized rather than distributed across individual team members or spreadsheets. A certificate lifecycle management solution provides that centralized view across every environment.
Establishing Clear Governance and Ownership
Clear ownership of who is responsible and what the renewal policy is keeps IT, DevOps, and security teams aligned rather than duplicating effort or passing the blame. Without defined governance, even the best monitoring setup breaks down when an alert arrives and no one knows whose job it is to act.
A five-tier approach to certificate lifecycle management gives teams a structured framework for assigning accountability at every stage of the certificate lifecycle.
Building for Scale from the Start
Processes need to be built to sustain continuous, high-frequency renewals so that certificate operations scale with the business rather than against it. The complexity of managing certificates multiplies quickly without the right infrastructure in place, especially when your organization is utilizing various tools.
Standardized CA integrations, automated issuance, and consistent deployment processes are what separate a certificate program that holds up under pressure from one that requires constant manual intervention to function.
The table below gives a practical breakdown of what readiness looks like across each area.
| Key Steps | Ensuring You Are Ready |
| Visibility |
|
| Automation |
|
| Monitoring |
|
| Governance & Ownership |
|
| Scalability |
|
Prepare for 47-Day Certificates with AppViewX
The 200-day deadline arrives in March 2026, with 47 days following in 2029. Organizations that start now have the time to build confidently, test thoroughly, and reach each milestone ahead of the curve rather than chasing it.
AppViewX helps organizations take control of their certificate environments before shorter lifetimes force the issue. From automated renewal and full inventory visibility to policy enforcement and multi-cloud support, AVX ONE is built to make the 47-day world manageable and the transition to it smooth.
Find out how AppViewX supports the full transition to 47-day certificates, or
book a demo and see it in action.
Tags
About the Author
