SSL Certificate Lifespans Dropping to 47 Days by 2029 as First Phase Kicks In This Week
The CA/Browser Forum voted unanimously to slash certificate validity from 398 days to 47 days in three phases starting March 15
The reduction rolls out in three phases: 200 days starting March 15 2026, 100 days from March 2027, and the final 47-day limit from March 2029. Domain Control Validation reuse periods drop in lockstep, reaching just 10 days in the final phase.
All four major browser vendors — Apple, Google, Mozilla, and Microsoft — voted in favor along with 25 certificate authorities. The rationale centers on limiting damage from compromised certificates, since current revocation mechanisms are unreliable.
Organizations that have been manually renewing certificates annually will need to automate. Tools like Let's Encrypt and ACME-based certificate managers already support short-lived certificates, but enterprises with complex multi-domain setups face significant migration work.
Analysis
Why This Matters
This is the biggest change to SSL certificate management in over a decade. Any organization not already using automated certificate renewal will be forced to adopt it or face outages.
Background
Certificate revocation has been a known weakness in web security for years. Short-lived certificates effectively make revocation less critical by limiting the window of exposure.
Key Perspectives
Let's Encrypt already issues 90-day certificates and handles renewals automatically. The challenge is for enterprises using paid certificates with manual processes.
What to Watch
The March 15 deadline is days away. Expect a wave of renewal automation adoption and potential outages from organizations caught off guard.