Three Must-Have Capabilities to Prepare for 47-Day TLS Certificates

Recently, the CA/Browser (CA/B) Forum approved Ballot SC-081v3, launching a gradual reduction of public TLS certificate lifespans—from today’s 398 days down to just 47 days by 2029. This landmark change ranks among the biggest in PKI in recent years and is already driving intense conversations about how reduced validity periods will reshape certificate lifecycle management (CLM) workloads and operations.

Here’s a break down of what the TLS validity reduction timeline looks like and the corresponding increase in CLM workload:

Year	Max Validity	Renewal Frequency	Workload Increase
Now	398 days	1 renewal/year	–
March 15, 2026	200 days	2 renewals/year	2×
March 15, 2027	100 days	4 renewals/year	4×
March 15, 2029	47 days	12 renewals/year	12×

Essentially, by March 15 2029, certificates will need to be renewed every month—a big shift from the once-a-year cadence that PKI and security teams are used to now.

And it’s not just the renewal frequency that’s changing. The domain validation reuse period will also shrink to just 10 days by 2029. This means PKI and security teams will need to perform domain validation more frequently and accurately to avoid certificate issuance delays.

Although this shift unfolds over the next four years, the initial reduction to 200-day certificates takes effect in less than a year from now, doubling your renewal workload almost immediately. Given the tight prep window, the sooner you start planning, the better prepared you will be to handle increased renewal workloads by next year (2026).

Why Is This Happening?

At first glance, moving from annual to monthly certificate renewals feels like a monumental shift—and it is. In fact, it’s a full rethink of how TLS certificates have been managed for years.

But this change is necessary—and overdue. Think of it like changing the locks on your doors more frequently. It becomes costly and more difficult for attackers to break the locks that are regularly changing and even if they do break the lock, they only have a short window for misuse, limiting potential damage significantly.

And, more frequent domain validation (every 10 days) means certificates are always issued based on up-to-date, accurate ownership information—preventing mis-issuance and boosting trust in your infrastructure.

Yes, it’s more work, but it promotes stronger security—and with quantum computing on the horizon, that’s a trade-off we cannot afford to ignore.

How to Prepare for Monthly Renewals

There is a good reason for shortening TLS certificate lifespans: to push organizations toward full CLM automation and crypto-agility.

Certificate management might look straightforward—enroll, provision, install, renew, and done. But in reality, it’s a complex and layered process, involving domain validation, endpoint binding, configuration checks, discovery, alerts, policy enforcement, and monitoring for cryptographic hygiene. That’s a lot of moving parts—and they all have to happen on time, in the right order, and in sync.

Relying on spreadsheets, separate CA-specific tools, and manual processes for all these processes won’t cut it when you’re juggling thousands of certificates across hybrid and multi-cloud environments. Automation and crypto-agility are the only ways to keep pace with monthly renewals.

AppViewX AVX ONE CLM: A Complete End-to-End CLM Solution for Crypto-Agility

Although the focus now is on automating renewals, it is just the starting point for the 47-day TLS transition. True readiness demands a full-spectrum certificate lifecycle management (CLM) solution that is efficient and crypto-agile (that can adapt to changes seamlessly now and in the future).

Achieving this means embedding three core capabilities into every step of the CLM process: Visibility, Automation, and Policy Control. AppViewX AVX ONE CLM is built precisely to deliver that–enabling crypto-agility. Here’s how we can help in the context of the shift to 47-day TLS.

1. Complete Certificate Visibility

• Smart Discovery: Flexible scanning methods to automatically discover your public and private trust certificates from your IP networks, managed devices, cloud accounts, CAs, Kubernetes clusters, and CT logs. You can run these scans on demand or at scheduled intervals to continually discover new certificates.
• Centralized Inventory: Consolidate all discovered certificates in a centralized inventory along with essential certificate information such as the certificate location, owner, issuing CA, expiry date, chain of trust, crypto standards, and more. This inventory serves as a single source of truth for all certificate types, from any public or private CA, across every endpoint, to help you effectively monitor certificate expirations, prevent outages, and mitigate vulnerabilities.
• Actionable Insights: Use dedicated Short-Lived TLS dashboards to pinpoint your current certificate validity periods—and get ahead of the 200-day (March 2026), 100-day (March 2027), and 47-day TLS (March 2029) transitions.
• Alerting: Custom alerts for certificate expiry notifications are sent to certificate owners to ensure timely renewals, approvals, or escalations. Alerts can be delivered via emails for manual actions or via simple network management protocol (SNMP) traps for automation and integration with ITSM and SIEM solutions.

2. Powerful Automation

• Closed-Loop Renewals: Unlike any other vendor in the market, AVX ONE CLM handles renewals end-to-end. From generating the key pair and CSR to submitting it to the appropriate Certificate Authority (CA), retrieving the renewed certificate, installing it, and binding it to the correct endpoint or application, every step is automated and seamlessly managed. This helps ensure the new certificate is fully configured and ready to use and eliminates the risk of certificate misconfigurations, vulnerabilities, and outages.
• CA-Agnostic Control: AVX ONE CLM works with every major public and private CA, centralizing discovery, renewal, and management of all your certificates in a single console. This means your PKI and security teams can work from a single consolidated tool for enterprise-wide CLM vs fragmented CA tools without complete visibility.

3. Automation Workflows:

• Out-of-the-box Workflows: AppViewX AVX ONE CLM offers an extensive catalog of pre-built workflows for automating routine certificate tasks like alerting/escalations, enrollment, provisioning, and installation, including the last-mile action of endpoint binding.
• Customizable Workflows: No two PKI environments are the same. That’s why AVX ONE CLM’s automation framework is designed to allow deep customizations. Using a drag-and-drop visual workflow builder, you can fully customize workflows to tailor CLM processes to your unique needs. Whether it is implementing one-click approvals and renewals, or fully automating the entire renewal and provisioning process as zero-touch, AVX ONE CLM can accommodate that in your environment. For example, you can automate public TLS certificate issuance via ACME or customize ServiceNow workflows with layered approvals to align with your internal policies.
• Broad Integration Ecosystem: AppViewX offers extensive pre-built integrations with public and private CAs, Cloud providers, DevOps toolchains, ITSM platforms like ServiceNow, MDM solutions like Microsoft Intune, and more for streamlining certificate management across cross-functional teams. In addition, REST APIs enable custom integrations—so you can automate exactly the way your environment demands.
• Auto-Enrollment Protocols and ACME Support: AVX ONE CLM works with all the major auto-enrollment standards—ACME included—so you get the fastest path from certificate issuance to installation and renewal. But ACME by itself only tackles part of the challenge: it automates issuance and renewal, but it doesn’t discover certificates in your environment, enforce your security policies, or cover every PKI use case. That’s where AppViewX steps in. By integrating ACME into a full-featured CLM framework, AVX ONE CLM gives you the speed of ACME with end-to-end visibility, governance, and compliance—so there are never any gaps in your certificate management.

4. Continuous Policy Control

• Zero-Touch Policy Enforcement: Enforce policies to gradually enforce shorter TLS lifespans by defining the use of approved CAs, crypto-standards, and more through automation and eliminate rogue/non-compliant certificates.
• Granular Role-Based Access Control (RBAC): Shrinking TLS lifespans mean more certificates—and often more CAs—to manage. Implementing RBAC helps set clear permissions for who can request, approve, and issue certificates, preventing CA and certificate sprawl. At the same time, it empowers your cross-functional teams with certificate self-service, so they can request and issue security-approved certificates on their own, without extra handoffs.
• Complete audit trails: Track every action with detailed logs to simplify external and internal audits. Generate regular compliance reports to keep up with industry and regulatory standards.

Lean Into This Change for a More Resilient Tomorrow

Shorter certificate lifespans aren’t just about creating more work (even if it feels that way right now). They’re about making your organization more secure with faster certificate rotations, smaller attack windows, and up-to-the-minute domain validation. So, it is important to see this 47-day TLS validity shift as an opportunity to level up your PKI and CLM practices. With the right end-to-end CLM solution in place, what feels like a daunting jump can become a competitive advantage: real-time visibility, automated renewals, and built-in compliance.

To learn more about AppViewX AVX ONE CLM and to see how it can help you prepare now for shorter validity TLS, request a demo.