The 47-Day TLS Certificate Lifecycle: What It Means for You

Table of Contents:

1. Overview

2. Why 47 Days?

3. Who is Driving This?

4. Industry-Wide Impact

5. How to Prepare?

6. Timeline to 2029

7. The Future: 24-Hour or Ephemeral Certificates?

8. Final Thoughts

Overview

Over the past ten years, the industry has steadily moved toward shorter SSL/TLS certificate validity periods. What used to be common—certificates valid for up to five years—has now evolved into much shorter lifespans due to increasing concerns over security and agility.

Here’s a quick timeline of the shift:

• Pre-2015: Certificates valid up to 5 years

• 2015: Capped at 3 years

• 2018: Reduced to 2 years

• 2020: Apple unilaterally enforces a 398-day limit, with Google and Mozilla following

• 2029 (expected): Industry-wide shift to 47-day certificates

Each step has reflected a broader industry effort to minimize risk and push for modern infrastructure that supports rapid certificate rotation.

Why 47 Days?

The upcoming 47-day cap on SSL/TLS certificate validity might seem surprisingly short, but it’s rooted in sound security logic. Here’s why this change is being pursued:

Improved Security

Shorter lifespans limit the window of exposure if a certificate is compromised. Even if an attacker obtains a private key, the usefulness of that key is dramatically reduced.

Reduced Dependence on Revocation

Traditional revocation mechanisms like CRLs and OCSP have proven unreliable at scale. Short-lived certificates help render revocation largely unnecessary by ensuring compromised certificates expire quickly on their own.

Encouraging Automation

Manual certificate renewal is already risky. A 47-day window essentially mandates automation. This shift pushes organizations to adopt tools and practices that improve reliability and reduce human error.

Faster Ecosystem Recovery

In the event of a CA breach or misissuance, shorter-lived certificates help the internet “self-heal” faster—limiting systemic risk across the board.

Who’s Driving This?

The push for 47-day certificates is coming not from traditional regulatory bodies like the CA/Browser Forum, but from browser vendors—especially Apple, Google, and Mozilla. Just like with the 398-day rule, these companies are enforcing certificate policies at the client (browser/OS) level.

That means even if a Certificate Authority issues a certificate with a longer validity period, it may be rejected outright by major browsers after 2029.

Industry-Wide Impact

Certificate Authorities (CAs)

CAs will need to scale their issuance operations significantly, ensuring high-volume automated issuance systems are robust, reliable, and API-driven.

Enterprises

Organizations relying on manual processes or long-lived certificates will need to modernize fast. Manual renewal every 47 days simply isn’t viable at scale.

DevOps & Platform Engineering

Certificate management becomes a core DevOps concern. TLS must be integrated into CI/CD pipelines, with automatic renewal, distribution, and hot reloading built into infrastructure.

IoT & Embedded Device Manufacturers

Devices with limited connectivity or update mechanisms will face significant challenges. These environments may need alternative trust mechanisms, like pre-shared keys or token-based systems.

How to Prepare?

To get ahead of this shift, organizations should begin preparing now. Here's how:

Inventory and Audit

Start by identifying all certificates in your environment—both public and internal. Tools that scan your infrastructure or integrate with certificate managers can help you build a full inventory.

Implement Automation

Move to fully automated certificate renewal using ACME-compatible tools and platforms. Popular choices include:

• Certbot (for Let's Encrypt)

• cert-manager (for Kubernetes)

• HashiCorp Vault

• Commercial tools like DigiCert CertCentral or Sectigo Certificate Manager

Enable Zero-Downtime Rotation

Ensure your services support hot reloading of certificates without restarts. This applies to load balancers (e.g., NGINX, HAProxy), proxies, and application servers.

Monitor Expiry Proactively

Use monitoring tools to track certificate expiration dates and ensure alerting is configured. This adds a safety net in case automation fails.

Timeline to 2029

While no formal enforcement date has been published, current signals from browser vendors suggest that March 2029 is the targeted cutoff for longer certificate validity. Expect early enforcement in beta browsers or developer previews as early as 2028.

To stay ahead, aim to fully adopt short-lived certificate strategies by mid-2028.

The Future: 24-Hour or Ephemeral Certificates?

Some in the security community believe the 47-day validity is just a steppingstone. In the long run, certificates may become:

• Ephemeral, valid for just hours or days

• Automatically issued on demand, much like session tokens

• Integrated into service discovery and identity frameworks, like SPIFFE or service meshes

This vision relies on a highly automated, resilient PKI infrastructure—something every modern organization should be moving toward.

Final Thoughts

The move to 47-day SSL/TLS certificates marks a major shift in how trust is managed on the internet. It signals the end of manual certificate management and the dawn of a new era: one where automation, agility, and proactive security are the norm.

Organizations that prepare now will not only avoid future compliance headaches but also benefit from more secure, efficient, and scalable infrastructure.