Redirecting you to
Blog Post Jan 31, 2025

The push for 47-day certificates: a win for digital security and trust

By 2028, SSL/TLS certificate lifecycles may be cut down to just 47 days - a dramatic shift from the current 398-day maximum. Apple’s recent ballot submission to the CA/Browser Forum proposes this change, and it’s gaining traction among industry leaders, including Sectigo. While some enterprises may see this as an operational burden, the reality is clear: shorter certificate lifespans are a necessary and positive step for digital security and trust.

Table of Contents

The security rationale for shorter lifespans

Over the past decade, SSL/TLS certificate lifespans have been steadily shrinking, moving from multi-year certificates to the current 398-day maximum. The reasoning behind these reductions is straightforward: shorter-lived certificates significantly improve security by reducing the window of exposure for compromised credentials.

A certificate that remains valid for years represents a long-standing potential point of failure. If compromised, it can be exploited for extended periods before detection. Shortening certificate lifespans reduces this risk, forcing frequent renewals that help ensure cryptographic integrity and prevent outdated or vulnerable certificates from persisting in the ecosystem.

Moreover, shorter lifespans contribute to better crypto agility. With evolving cryptographic standards and emerging threats - such as those posed by quantum computing -organizations need the ability to adapt swiftly. A 47-day certificate lifespan ensures that businesses remain agile, implementing necessary cryptographic updates more rapidly than they would under a longer renewal cycle.

Operational impact: challenge or opportunity?

Critics argue that shorter certificate lifespans increase operational complexity, particularly for organizations still relying on manual processes for certificate management. The reality is that a 47-day renewal cycle would be virtually impossible to maintain manually at scale. However, this shift is not just about reducing risk - it’s also a call to action for organizations to embrace automation.

Automated Certificate Lifecycle Management (CLM) solutions, such as those leveraging the ACME (Automated Certificate Management Environment) protocol, eliminate the risk of service disruptions due to expired certificates. Rather than burdening IT teams with constant renewals, automation ensures seamless, hands-free certificate deployment and renewal. Organizations that proactively implement these solutions will find themselves ahead of the curve, not only complying with the new requirements but also enhancing their overall security posture.

Apple’s phased approach

A sudden shift to 47-day certificates would be a significant disruption. Recognizing this, Apple’s proposal follows a phased approach, gradually decreasing certificate lifespans over time. This strategy provides organizations with ample time to adapt, giving them a structured roadmap to update their infrastructure and implement necessary automation.

This approach isn’t just pragmatic - it’s necessary. Enterprises need time to shift from legacy systems to modern CLM platforms, educate their IT teams, and ensure compliance with evolving standards. By gradually stepping down certificate lifespans, Apple is encouraging meaningful security improvements while allowing for a manageable transition.

Preparing for a more secure web

The transition to shorter certificate lifespans is not just an incremental security enhancement - it’s a fundamental shift in how organizations approach digital trust. It signals a move toward a fully automated future, where certificate management is no longer a point of friction but a seamless, integrated security function.

Enterprises that embrace automation today will be well-positioned for tomorrow’s security landscape. Those that resist will find themselves struggling to keep up - not just with SSL/TLS changes, but with broader shifts in cybersecurity best practices.

Ultimately, the move to 47-day SSL/TLS certificate lifespans is a win for security, agility, and trust. It reinforces the necessity of automation, strengthens defenses against evolving threats, and ensures that the digital ecosystem remains resilient in an era of rapid technological change. Additionally, by normalizing frequent cryptographic updates, this shift lays the groundwork for even larger transformations, such as the transition to post-quantum cryptography (PQC). As PQC adoption becomes critical in the face of emerging quantum threats, organizations that have embraced shorter certificate lifespans and automation will be better equipped to make that transition smoothly and securely.

Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!

Related posts:

The risks of ignoring ACME in the 90-day and 47-day SSL era

How businesses can prepare for the 47-day certificate lifecycle: What it means and recent updates

Google and Apple's push for shorter certificate lifecycles: what to expect before the transition