The era of long-lived TLS certificates is officially ending. In a decision that will reshape certificate management across the internet, the CA/Browser Forum has approved a maximum lifetime of 47 days for publicly trusted TLS certificates. The rollout begins in March 2026, with a phased transition that will reduce today’s 398-day certificates to just over six weeks of validity.
For security teams, DevOps engineers, and PKI managers, this shift is not a minor policy change, it’s a fundamental overhaul of how certificates are issued, renewed, and automated.
Table of contents
What Changed: 47-Day TLS Certificate Rule Explained
The CA/Browser Forum, which sets the guidelines under which certificate authorities and browser vendors operate, voted to reduce the maximum lifetime of SSL/TLS certificates to 47 days.
That is a dramatic change from the present 398-day limit. The shift is part of an old industry trend: the shorter the lifetime, the less impact of compromised key, the less exposure time when vulnerabilities are found, and the greater adoption of a shift towards stronger cryptography.
This change, however, also raises operational complexity. Certificates that once required annual renewal will now need replacement seven to eight times per year, making manual management effectively impossible at enterprise scale.
TLS Certificate Rollout Timeline and Enforcement
The rollout begins in March 2026, when CAs will start issuing shorter-lived certificates under a phased schedule. By 2029, all publicly trusted TLS certificates must comply with the 47-day maximum.
This timeline is designed to give organizations three years to adopt automation and update operational processes. But March 2026 is effectively the deadline for testing, after that, organizations without automation will feel the impact immediately.
In addition to the reduction in certificate life, the time between reuse of domain and IP validation data will also reduce, decreasing to 10 days by March 2029 (as compared to the current 398 days).
Here is the detailed table on when and how this change will be implemented:
| Date (Effective) | Maximum TLS Certificate Lifetime | Maximum Reuse of Domain/IP Validation | What This Means |
| Until March 15, 2026 | 398 days | 398 days | Certificates can still be issued for just over a year, and domain/IP validations can be reused on the same annual cycle. |
| March 15, 2026 | 200 days | 200 days | The first major cut. Certificates will now need to be renewed roughly twice a year. |
| March 15, 2027 | 100 days | 100 days | Renewal cycles accelerate every three months. |
| March 15, 2029 | 47 days | 10 days | Final stage. Certificates expire in under seven weeks, and domain validations must be refreshed every 10 days. |
Enterprise Impact: Outages & Procurement Challenges
Big organizations already have thousands of certificates in hybrid and multi-cloud environments. With 47 days of window, one forgotten API endpoint or overlooked staging server may cause a service outage. The more limited the lifespan, the margin for human error shrinks to near zero.
In the past, large financial institutions, airlines, and government agencies have been brought down by unexpected system failures due to expired certificates. The risk of certificate related outages will dramatically increase among those organizations where manual spreadsheets, ticketing, or ad-hoc are used.
Procurement Under Shorter Lifetimes
Shorter lifetimes will also ripple through procurement. Enterprises will need CAs that can handle automated issuance at scale and offer reliable APIs. Contracts that once focused on price and support will now require guarantees around availability, automation compatibility, and integration with orchestration platforms. In addition to procurement and outage risk, the new rule also redefines the way PKI teams need to approach automation.
PKI Challenges and Certificate Automation Requirements
Automation Becomes Mandatory
The 47-day policy effectively makes automation non-optional. ACME SSL certificates issuance and integrated lifecycle management tools will be required to keep pace.
Teams that haven’t yet adopted automated issuance will need to invest in tooling capable of continuous discovery, enrollment, and renewal. Without this, outages will become unavoidable.
New Operational Considerations
Automation introduces its own challenges. Enterprises will need to:
- Implement certificate discovery to map every TLS endpoint.
- Build observability into issuance pipelines, with alerts for failed renewals.
- Enforce RBAC and policy controls on certificate requests to prevent abuse.
- Maintain fallback procedures, such as emergency reissuance or pre-staged backup certificates.
What Organizations Need to Do Next
To prepare, enterprises should begin planning now. A practical checklist includes:
- Inventory certificates: Discover all TLS endpoints, both public and private. Track issue dates and renewal methods.
- Adopt automation: Deploy ACME clients or vendor APIs. Add certificate issuance to CI/CD and infrastructure-as-code pipelines.
- Test renewals: Run dry-runs of rotation across production-like environments. Check that workloads, clients, and monitoring are working properly.
- Review vendor contracts: Assure that your selected CAs support automation, rate-limit policies, and SLA guarantees for issuance.
- Establish monitoring: Configure alerts for upcoming expirations and failed renewals. Integrate certificate health to observability dashboards.
- Handle special cases: Develop special strategies in IoT, legacy applications and systems where automation is constrained.
Organizations that start this process today will have time to experiment, test, and stabilize before the deadlines come closer.
The Bottom Line for the CA/Browser Forum
The CA/Browser Forum’s decision to enforce 47-day TLS certificates marks the end of manual certificate management. By 2029, organizations that rely on spreadsheets and ticket queues can face outages.
The winners will be teams that implement certificate automation and fully integrate into infrastructure pipelines. With less than three years until rollout begins, the time to prepare is now.
