The first stepdown to 200-day certificate lifespans is on March 15, 2026, with 100-day lifespans in March 2027, and 47-day lifespans in March 2029 to follow. Automation is now imperative to business continuity, security, and crypto agility.
The approved CA/B Forum measure will gradually reduce certificate lifespans from the current 398 days to 47 days through a phased approach.
Ballot SC-081v3 formally passed on April 11th, 2025, putting the phased reduction into effect with the following enforcement dates:
This change marks a turning point for digital certificate management. Organizations will now need to renew certificates nearly every month, an unsustainable pace without an automated solution.
With public certificates needing renewal every 200 days, as opposed to the current 398-day term, businesses will soon face renewal cycles every 6 months, effectively doubling the workload for IT and security teams.
The time to automate isn’t in 2029. Businesses need to begin preparing now by moving to an automated certificate lifecycle solution before shorter lifespans are implemented.
The shift to 47-day lifespans will dramatically increase the operational workload, leading to:
Shorter lifespans mean renewals happen constantly. Manual tracking will make missed expirations almost inevitable, leading to outages and lost trust.
Managing certificates every few weeks instead of every few months turns a background task into a full-time operational burden, draining engineering time and slowing down high-value work.
Lapsed or misconfigured certificates can expose systems to outages, breaches, or compliance violations. These are all risks that multiply as renewal cycles accelerate.
According to Security Magazine, nearly three-quarters (72%) of organizations have suffered at least one certificate-related outage in the past year, with 67% experiencing outages monthly and 45% weekly. Certificate outages happen when digital certificates expire or become invalid, causing security and operational issues. Certificate Lifecycle Management (CLM) prevents this by ensuring certificates are always up-to-date. By automating CLM, Sectigo helps organizations prevent certificate outages, ensuring business continuity, security, and customer trust.
Here are recent certificate outages that made headlines:
When a certificate expires, browsers warn users their connection isn’t private and they leave. Instantly. Trust is lost, conversions drop, and your brand takes a hit.
With 47-day certificates, the margin for error shrinks from months to weeks, making even small renewal delays costly.
And the risk goes beyond lost traffic: missed renewals can trigger outages, security breaches, service disruptions, and expensive compliance fines.
Carry out a full SSL/TLS certificate discovery for an inventory of both internal and external certificates.
Compile a comprehensive list of vendor technologies that require those certificates to function.
Identify the relevant automation protocols for each technology in your inventory.
Build your deployment plan around key milestones, starting with 200 days in 2026 and reaching 47-day certificates by 2029.
Ensure long-term security and agility for continuous cryptographic readiness.
Shortened certificate lifespans are here, and with good reason: quantum computing will change everything, and present-day security needs to adapt to prepare. This eBook gives you practical insight into the world of quantum computing, the latest compliance standards and updates, and how to move forward and achieve crypto agility before the post-quantum era.
In its ballot to shorten maximum TLS certificate term, Apple chose a 47-day maximum certificate lifespan to tighten the security of the TLS ecosystem. Shorter certificate validity limits the window in which a compromised or misissued certificate can cause harm. The 47-day period is likely a balance between practical automation cycles and security enforcement, allowing organizations to renew certificates roughly monthly while ensuring frequent rotation.
The first step down to 200-day certificates will be on March 15, 2026. The next date is March 15, 2027 for 100-day certificates, and finally, 47-day certificates on March 15, 2029.
However, experts expect that lifespans will only get shorter as quantum computing becomes the industry norm.
Yes. What was once a nice-to-have is now imperative to ensure business continuity, compliance, and uptime. Certificate lifecycle management is not a primary concern today of your IT teams; by the end of 2026, managing certificates manually will be a major task that no IT team has the bandwidth for.
While not directly tied to quantum computing, the push for shorter certificate lifespans aligns with broader efforts to prepare for the postquantum cryptography era. While postquantum cryptography is being developed to resist quantum attacks, the adoption will take time, and shorter certificate lifespans means organizations can be crypto-agile as quantum-safe certificates become available. Frequent certificate rotation makes it easier to transition to new cryptographic algorithms and minimize exposure if current algorithms are broken by quantum advancements.
This change applies only to publicly trusted TLS certificates, i.e., certificates chaining to a root CA trusted by Apple’s platforms. It does not apply to certificates issued by private or internal CAs that are manually installed or used within controlled enterprise environments.
Manual processes break at shorter certificate lifecycles primarily due to human error. With hundreds, or sometimes thousands of certificates in an organization’s inventory, a once-background task now becomes a priority that no one is prepared for. If a renewal slips through the cracks or is forgotten, the organization can be taken offline or face compliance failures.
Domain Control Validation (DCV) is used by Certificate Authorities before issuing an SSL certificate to verify the person making the request is in fact authorized to use the domain related to that request. This is a crucial component of the SSL/TLS process; without DCV, certificates cannot be issued or deployed. DCV still must happen before new certificate issuance, even for short-lived certificates.
In addition to the certificate lifespan timeline mentioned previously, businesses and enterprises planning for 47-day lifespans will want to be cognizant of how these same dates will affect DCV reuse periods:
Sectigo BlogAutomation is essential for transport and logistics organizations to prevent outages and secure operations as SSL certificates shrink to 47-day lifecycles.
Sectigo BlogSLED agencies must automate certificates before the 47-day SSL era to avoid outages, noncompliance, and rising cyber risk.
