A sweeping change is coming to the world of TLS certificates. The maximum validity period of public certificates will be shortened in steps starting in 2026 to eventually only 47 days in 2029. This has major implications for organizations that still rely on manual certificate management.
Who suggested this?
The proposal was made by Apple, as part of their broader commitment to Internet security. Although Google previously advocated a 90-day maximum term, they voted almost immediately in favor of Apple’s proposal when voting began within the CA/Browser Forum – the alliance of certificate authorities (such as DigiCert, Sectigo, GlobalSign) and browser makers (such as Mozilla, Google, Apple, Microsoft).
Why exactly 47 days?
The 47 days were not chosen at random, but based on a logical calendar count:
- 200 days = 6 full months (184 days) + half a month (15 days) + 1 day slack
- 100 days = 3 full months (92 days) + ~1/4 month (7 days) + 1 day slack
- 47 days = 1 full month (31 days) + half a month (15 days) + 1 day slack
This duration fits well with automated renewal, without too much risk of expired certificates.
What is wrong with the current system?
A key part of the proposal is criticism of the current revocation system (CRL and OCSP), which the CA/Browser Forum says is unreliable. In practice, browsers often ignore these methods, putting users at risk of expired or even misused certificates.
For this reason, people choose shorter validity periods: it minimizes the chance that a compromised certificate will remain active for a long time. In 2023, the forum even approved so-called short-lived certificates, which expire within 7 days and do not require CRL or OCSP support.
What changes when?
- Until March 15, 2026: Maximum 398 days
- From March 15, 2026: Maximum 200 days
- From March 15, 2027: Maximum 100 days
- From March 15, 2029: Maximum 47 days
- In addition: domain validation data may be reused for only 10 days starting in 2029
What does this mean for your organization?
Without automation, certificate management becomes nearly impossible. Expired certificates can lead to inaccessible websites, interrupted connections and reputational damage.
Therefore, now is the time to act:
- Map which certificates are active
- Implement automation tools such as ACME or commercial alternatives
- Provide monitoring and notifications
- Get setup and management support
Conclusion
The shortening of TLS certificate validity to just 47 days marks a major shift in how digital security is approached. Automation will soon no longer be a luxury, but a necessity. Companies that take steps toward automatic certificate renewal now not only avoid technical problems but also increase their resilience to security risks.