USD 
USD 
GBP 
EUR 
INR 
ZAR 
AUD 
CAD 
MYR 
SGD 
THB 
HKD 
BRL 
AED 
In April 2025, the CA/Browser Forum, with support from Apple, Google, and Mozilla, approved a proposal to shorten the maximum lifespan of publicly trusted TLS certificates. Starting in March 2026, certificate validity will reduce in stages, eventually reaching just 47 days by 2029. The change is made to improve internet security, but it also has its own set of challenges for website owners and IT teams.
In this blog, we break down what TLS certificates are, why this shift is happening, what changes are coming, and how teams can prepare for this major update in internet security.
A Complete Breakdown of TLS Updates Effective March 2026
The CA/Browser Forum passed Ballot SC-081v3 on April 11, 2025, to make some significant changes to how long TLS certificates are valid, which was sponsored by Apple and endorsed by major players in the industry like Google, Mozilla, and Microsoft.
The reason why it has been decided is to enhance online security, particularly eliminate the possibility of threats associated with stolen or expired certificates. Certificates that have expired or have been misused in any way could be misused against an organization. Phase 1 starts on March 15, 2026, and Phase 2 goes into effect by March 15, 2027, with the final phase scheduled for March 15, 2029.
Timeline of Certificate Lifetime Changes
TLS certificate lifespan is changing in phases, along with changes to how long you can reuse domain and organization validation information. These updates apply to all certificate types, including DV – Domain Validation, OV – Organization Validation and EV – Extended Validation.
Here’s a clear breakdown of what’s changing and when:
| Effective Date | Max Certificate Validity | Validation Reuse Limit |
|---|---|---|
| Before March 2026 | 398 days | Domain/IP: 398 days Subject (SII): 825 days |
| From March 2026 | 200 days | Domain/IP: 200 days Subject (SII): 398 days |
| From March 2027 | 100 days | Domain/IP: 100 days Subject (SII): 398 days |
| From March 2029 | 47 days | Domain/IP: 10 days Subject (SII): 398 days |
What Does the New TLS Certificate Lifetime Schedule Mean?
- Maximum Certificate Validity: The time span where a TLS certificate remains valid before it must be renewed.
- Domain/IP Validation Reuse: Duration where you can reuse domain or IP verification before revalidating it.
- Subject Identity Information (SII) Reuse: Period where organization details used in OV and EV certificates remain valid without revalidation. (DV certificates do not include SII.)
These phased reductions are intended to improve overall security and will make certificate automation essential by 2029.
Why the Shift to 47 Days?
The major reason behind this is to reduce the security risks which occur because of outdated or compromised certificates. In case if a certificate is being misused, shorter certificate validity period helps limit the damage. Current methods like OCSP (Online Certificate Status Protocol) and CRLs (Certificate Revocation Lists) often fail to revoke certificates quickly enough. By reducing the lifetime, security gaps become smaller.
Also, shorter lifetimes force website owners to renew their TLS certificates more often. This helps ensure that all validation data stays updated and accurate.
Key Impacts for Website Owners and IT Teams
As the CA/Browser Forum rolls out new TLS certificate rules starting March 2026, website owners and IT teams must adjust how they manage certificates. Here are the 5 biggest impacts that will directly affect their work.
-
Frequent Certificate Renewals
Starting March 15, 2026, TLS certificate validity drops to 200 days. In 2027, it reduces again to 100 days. By 2029, the longest validity will only be 47 days. Teams will be forced to renew certificates up to 8 times a year in order to avert unexpected site outages. Missing even a single renewal could result in major disruption and loss of user trust.
-
Automation Becomes Essential
Manual certificate management will no longer be practical. With certificates now having shorter lifetimes, tools such as ACME (Automatic Certificate Management Environment), and certificate lifecycle management software have become even more critical. These tools automate processes including issuance, deployment and renewal of certificates for a given hostname. It reduces human error while saving valuable time, especially in environments with a high number of certificates or frequent changes.
-
More Frequent Domain Validation
The number of days you can reuse domain or IP validation is also shrinking. From 398 days now, it goes to 200 in 2026, then to 100, and finally just 10 by 2029. This means faster, repeat validation workflows will be needed, especially for larger websites and teams managing multiple domains.
-
Risk of Service Interruption
If a certificate expires without renewal, browsers show warnings or block access entirely. This breaks trust instantly and may lead to lost traffic or transactions. Without strong automation and tracking in place, the chances of missing a renewal will increase.
-
Security Posture Improves
Shortening the validity period of these certificates reduces the damage caused by the breach of compromised certificates or expired certificates. It compels IT departments to keep systems updated, eliminate weak ciphers, and adhere to stronger encryption regulations. Over time, this improves TLS security for better and safer internet communication.
These shifts are quite high and they are followed by long-term advantages. The first step to monitoring all your certificates today, automate where it makes sense and prepare your teams for more frequent validation and renewal cycles. By taking the right measures now you can keep your systems running smoothly in future.
How to Prepare for the 47-Day TLS Certificate Lifespan
To avoid outages and stay current with new TLS standards, IT teams and website owners need to update their certificate lifecycle process. Here are 4 easy ways to make those adjustments.
Tip #1: Adopt Automation
Use automation tools, it helps manage certificate management process simply; automating certificate issuance, renewal, and deployment. Most of these tools are integrated with ACME and offer centralized visibility, policy enforcement, and real-time alerts. Whether you manage your infrastructure on-premises or in the cloud, a certificate management system can reduce the risk of missing certificate renewal and can easily be scaled as certificate volumes grow.
Tip #2: Audit Certificates
Know where all your TLS certificates are located in all your public websites, internal, and staging tools. Document where they are being used, and make a complete record for public certs, ported to staging, and internal server use.
Tip #3: Set Renewal Reminders
Create alerts for your team to be notified prior to cert calendar expiration to avoid outages, or browser warnings/errors as a result of failing to renew the certificate.
Tip #4: Minimize Manual Actions
Where possible upgrade manual processes to an automated system whether that’s requesting, renewing, or deploying your certificates. Taking out the manual steps lowers the number of errors and frees up valuable time for your team.
To encapsulate, early planning, automation, and regular tracking will help you stay secure, avoid downtime, and smoothly adapt to the 47-day TLS certificate rule.
The Bottom Line
Shifting to a 47-day TLS certificate lifespan is one of the biggest web security changes in recent times. At first glance, this switch might look tricky, but it has clear benefits. It provides better protection, cuts down on threat exposure, and improves how we manage certificates.
For website owners and IT teams, getting ready is key. They’ll need to set up automatic renewals, keep a close eye on certificates, and sync up their validation steps with the new timelines. Immediate action can prevent many future issues. In the long run, these updates will create a more secure, stable, and trusted web experience for everyone.
