Certificate Lifecycle Management

47-Day TLS Certificates: CA/B Forum's New Rules 2026

Executive summary — The CA/Browser Forum has approved a phased reduction of public TLS certificate lifetimes from 398 days today to 47 days by 2029. The change is the single largest operational shift to hit enterprise certificate management in a decade. This article walks through the timeline, the operational implications, and what enterprises must automate to survive an 8x increase in renewal cadence.

The CA/Browser Forum is the obscure standards body that decides how long public TLS certificates may live before they must be renewed. In April 2025, its members approved a phased reduction that takes the maximum lifetime from 398 days today to 47 days by 2029. For most enterprises, this is the single largest operational change to certificate management in a decade. Run the math: renewing 1,000 certificates once a year is a different operation from renewing the same 1,000 certificates eight times a year.

The Timeline

The reduction is phased to give enterprises time to adapt. Starting March 2026, certificate lifetimes drop from 398 days to 200 days. By March 2027, the maximum drops further to 100 days. The final step — 47 days — takes effect in March 2029. Domain Control Validation (DCV) reuse windows shrink in parallel, meaning the validation cache that issuance currently relies on will also need to be refreshed more frequently.

Why the CA/B Forum Voted This Through

Two arguments drove the change. The first is security: shorter certificate lifetimes limit the window of exposure if a private key is compromised. The second is automation pressure: forcing enterprises off manual renewal cycles is a deliberate push toward ACME-based automation. The Forum has signalled that the long-term destination is even shorter lifetimes, possibly measured in days. 47 days is a staging post, not an endpoint.

What Must Be Automated

Manual workflows that worked at an annual cadence will break at 47 days. Five operational capabilities now sit on the critical path of any enterprise running public TLS. The what is certificate lifecycle management guide breaks each of them down.

  • Continuous certificate discovery across cloud, on-premise, and DevOps estates.
  • Automated certificate signing requests (CSRs) through ACME, SCEP, or EST.
  • Domain control validation that does not rely on annual manual DNS edits.
  • Deployment automation that updates load balancers, CDNs, and application servers without human intervention.
  • Monitoring and alerting that catch failed renewals before certificates expire.

Without these capabilities, enterprises will experience a sharp rise in certificate sprawl and enterprise uptime — outages, audit failures, and emergency rotation cycles.

Looking at the platform layer? eMudhra's CertiNext certificate lifecycle automation automates the full TLS lifecycle — discovery, ACME issuance, validation, deployment, and renewal — designed for the 47-day cadence.

The PQC Migration Sits on Top

The 47-day rule arrives at the same time as the broader post-quantum cryptography migration. Enterprises that automate renewal cleanly will have a pre-built channel for issuing hybrid PQC certificates when the time comes. Enterprises that delay automation will face both transitions simultaneously, with no automation runway to fall back on.

READY FOR THE 47-DAY TLS WORLD?
CertiNext automates issuance, validation, deployment, and renewal at any cadence — including the 47-day target. Explore CertiNext certificate lifecycle automation or Contact eMudhra team.

CertiNext Editorial
About the Author

CertiNext Editorial

CertiNext Editorial represents the collective voice of CertiNext, delivering expert insights on PKI modernization, crypto-agility, and the future of machine identity. Our team of PKI architects, security engineers, and digital trust specialists curates practical, in-depth content to help enterprises manage certificates at scale, eliminate outages, and prepare for the post-quantum era with confidence

Ready to Try?

Talk to our team about how eMudhra can help secure your digital workflows with PKI, eSignatures and identity solutions.

Connect with sales