In April 2025, the CA/Browser Forum approved a ballot to reduce the maximum lifetime of public TLS certificates to just 47 days. This change, driven by browser vendors and public CAs, marks another major shift in how certificates are issued and managed.
Why Is This Happening?
The reduction continues the long-term trend of shortening certificate lifetimes by public Certification Authorities (CAs), following the move from multi-year certificates to the 398-day limit. Shorter certificate lifetimes improve cryptographic agility, which is critical as the industry transitions to post-quantum cryptography. In addition, shorter validity periods limit the exposure window for compromised or misissued certificates and reduce the time window during which stale validation data can be reused. Further, short-lived certificates reduce or eliminate the need for certificate revocation.
Implications
A 47-day lifetime means 7–8 renewals per year, per certificate. For organizations managing hundreds or thousands of public-facing TLS endpoints, this significantly increases operational overhead, as renewal windows tighten. Organizations must move to fully automated enrollment and renewal processes for workloads requiring public TLS certificates.
Introducing CertKit
To keep up with this new reality, organizations will need reliable, fully automated certificate lifecycle management. CertKit is an automated certificate lifecycle management service designed to handle public TLS certificate enrollment using Let’s Encrypt, Google Trust Services, and more. CertKit takes the pain out of TLS certificate management by fully automating the entire certificate lifecycle: discovery, issuance, renewal, deployment, and verification. It provides centralized management and visibility for all your public assets using TLS, including services not managed by CertKit.
How CertKit Works
CertKit automates the entire certificate lifecycle from discovery to deployment.
- Discovery – Automatically finds all your certificates via Certificate Transparency (CT logs).
- Issuance & Renewal – Today, CertKit supports Let’s Encrypt and Google Trust Services for free wildcard, single domain, and multi-domain certificates. Once configured, certificates renew automatically.
- Deployment – A lightweight CertKit Agent, which is available for Windows, Linux, and Docker, securely deploys certificates to your servers and infrastructure. Workloads such as IIS, Terminal Services (RDP), DirectAccess, and Routing and Remote Access Service (RRAS) SSTP are automatically discovered and configured.
- Verification & Monitoring – Real-time monitoring, expiration alerts, and full audit trails ensure nothing slips through the cracks.
Easy to Use
CertKit simplifies DNS validation by eliminating the need for API integrations, custom scripts, or shared credentials. There’s no need for your public DNS provider to support API access at all, eliminating the need for custom coding and complex secret management. CertKit uses delegated DNS validation via CNAME DNS records, so you never have to share sensitive DNS credentials.
Key Benefits
CertKit simplifies certificate management while reducing cost and operational risk.
- No more manual certificate enrollment and installation.
- Significant cost savings by leveraging free Let’s Encrypt or Google Trust Services certificates.
- Vendor-agnostic deployment with broad compatibility.
- Simple automation with reliable results.
- No more 2:00 AM calls or emergency fire drills because of an expired certificate.
Pricing
Pricing is flexible, with a free 90-day trial (no credit card required), a community plan for home labs, and paid tiers for business use. Visit https://www.certkit.io/pricing for more details.
Get Started with CertKit
If you’re tired of managing certificate sprawl and dealing with unexpected expirations, CertKit can help. With 47-day certificate lifetimes on the horizon, automation is no longer optional; it’s essential.
Start your free trial today at https://certkit.io.
Want to see how CertKit integrates with Microsoft workloads like IIS, RDP, DirectAccess, or Always On VPN? Fill out the form below, and I’ll follow up with more details.
