TLS Lifetimes Cut: CA/Browser Forum Sets 47-Day Rule for March 2026

CA/Browser Forum

The era of long-lived TLS certificates is officially ending. In a decision that will reshape certificate management across the internet, the CA/Browser Forum has approved a maximum lifetime of 47 days for publicly trusted TLS certificates. The rollout begins in March 2026, with a phased transition that will reduce today’s 398-day certificates to just over six weeks of validity.

For security teams, DevOps engineers, and PKI managers, this shift is not a minor policy change, it’s a fundamental overhaul of how certificates are issued, renewed, and automated.

What Changed: 47-Day TLS Certificate Rule Explained

The CA/Browser Forum, which sets the guidelines under which certificate authorities and browser vendors operate, voted to reduce the maximum lifetime of SSL/TLS certificates to 47 days. 

That is a dramatic change from the present 398-day limit. The shift is part of an old industry trend: the shorter the lifetime, the less impact of compromised key, the less exposure time when vulnerabilities are found, and the greater adoption of a shift towards stronger cryptography.

This change, however, also raises operational complexity. Certificates that once required annual renewal will now need replacement seven to eight times per year, making manual management effectively impossible at enterprise scale.

TLS Certificate Rollout Timeline and Enforcement

The rollout begins in March 2026, when CAs will start issuing shorter-lived certificates under a phased schedule. By 2029, all publicly trusted TLS certificates must comply with the 47-day maximum.

This timeline is designed to give organizations three years to adopt automation and update operational processes. But March 2026 is effectively the deadline for testing, after that, organizations without automation will feel the impact immediately.

In addition to the reduction in certificate life, the time between reuse of domain and IP validation data will also reduce, decreasing to 10 days by March 2029 (as compared to the current 398 days).

Here is the detailed table on when and how this change will be implemented:

Date (Effective)Maximum TLS Certificate LifetimeMaximum Reuse of Domain/IP ValidationWhat This Means
Until March 15, 2026398 days398 daysCertificates can still be issued for just over a year, and domain/IP validations can be reused on the same annual cycle.
March 15, 2026200 days200 daysThe first major cut. Certificates will now need to be renewed roughly twice a year.
March 15, 2027100 days100 daysRenewal cycles accelerate every three months.
March 15, 202947 days10 daysFinal stage. Certificates expire in under seven weeks, and domain validations must be refreshed every 10 days.

Enterprise Impact: Outages & Procurement Challenges

Big organizations already have thousands of certificates in hybrid and multi-cloud environments. With 47 days of window, one forgotten API endpoint or overlooked staging server may cause a service outage. The more limited the lifespan, the margin for human error shrinks to near zero.

In the past, large financial institutions, airlines, and government agencies have been brought down by unexpected system failures due to expired certificates. The risk of certificate related outages will dramatically increase among those organizations where manual spreadsheets, ticketing, or ad-hoc are used.

Procurement Under Shorter Lifetimes

Shorter lifetimes will also ripple through procurement. Enterprises will need CAs that can handle automated issuance at scale and offer reliable APIs. Contracts that once focused on price and support will now require guarantees around availability, automation compatibility, and integration with orchestration platforms. In addition to procurement and outage risk, the new rule also redefines the way PKI teams need to approach automation.

PKI Challenges and Certificate Automation Requirements

Automation Becomes Mandatory

The 47-day policy effectively makes automation non-optional. ACME SSL certificates issuance and integrated lifecycle management tools will be required to keep pace.

Teams that haven’t yet adopted automated issuance will need to invest in tooling capable of continuous discovery, enrollment, and renewal. Without this, outages will become unavoidable.

New Operational Considerations

Automation introduces its own challenges. Enterprises will need to:

  • Implement certificate discovery to map every TLS endpoint.
  • Build observability into issuance pipelines, with alerts for failed renewals.
  • Enforce RBAC and policy controls on certificate requests to prevent abuse.
  • Maintain fallback procedures, such as emergency reissuance or pre-staged backup certificates.

What Organizations Need to Do Next

To prepare, enterprises should begin planning now. A practical checklist includes:

  • Inventory certificates: Discover all TLS endpoints, both public and private. Track issue dates and renewal methods. 
  • Adopt automation: Deploy ACME clients or vendor APIs. Add certificate issuance to CI/CD and infrastructure-as-code pipelines.
  • Test renewals: Run dry-runs of rotation across production-like environments. Check that workloads, clients, and monitoring are working properly.
  • Review vendor contracts: Assure that your selected CAs support automation, rate-limit policies, and SLA guarantees for issuance. 
  • Establish monitoring: Configure alerts for upcoming expirations and failed renewals. Integrate certificate health to observability dashboards.
  • Handle special cases: Develop special strategies in IoT, legacy applications and systems where automation is constrained.

Organizations that start this process today will have time to experiment, test, and stabilize before the deadlines come closer.

The Bottom Line for the CA/Browser Forum

The CA/Browser Forum’s decision to enforce 47-day TLS certificates marks the end of manual certificate management. By 2029, organizations that rely on spreadsheets and ticket queues can face outages.

The winners will be teams that implement certificate automation and fully integrate into infrastructure pipelines. With less than three years until rollout begins, the time to prepare is now.

Subscribe

* indicates required