In April 2025, the CA/Browser Forum, a voluntary consortium of public CAs, browser vendors, and other industry stakeholders that develop and promote security standards and best practices for digital certificates and Public Key Infrastructure (PKI), approved a ballot measure reducing the current maximum lifetime of public TLS certificates to 47 days.
Why Is This Happening?
The reduction continues the long-term trend of shortening certificate lifetimes by public Certification Authorities (CAs), following the move from multi-year certificates to the 398-day limit. Reduced certificate lifetimes ensure cryptographic agility on the Internet, which will be crucial during the transition to post-quantum cryptography. In addition, shorter validity periods limit the exposure window for compromised or misissued certificates and reduce the time window during which stale validation data can be reused. Further, short-lived certificates reduce or eliminate the need for certificate revocation.
Implications
A 47-day maximum equates to roughly 7–8 renewal cycles per year per certificate. For organizations managing hundreds or thousands of public-facing TLS endpoints, this increases operational cadence, with renewal windows tightening significantly. Organizations must move to fully automated enrollment and renewal processes for workloads requiring public TLS certificates.
Implementation Timeline
The good news for administrators managing workloads with public TLS certificates is that they won’t have to worry about this right away. The reduction in the maximum certificate lifetime to 47 days occurs gradually over a few years. Here’s the timeline.
- March 15, 2026 – 200 days
- March 15, 2027 – 100 days
- March 15, 2029 – 47 days
Summary
With public TLS certificate lifetimes reduced to 47 days, administrators must automate enrollment and renewal processes for public-facing TLS services. There are numerous ways to accomplish this across platforms such as Windows, Linux, Azure, and more. If you’d like professional assistance with implementing TLS certificate automation solutions, or you simply want to learn more about your options, fill out the contact form below, and I’ll respond with more information.
Additional Information
CA/Browser Forum Ballot SC081V3
Always On VPN SSTP and 47-Dya Public TLS Certificates
