The 47‑Day SSL/TLS Certificate Era Is Coming

# ssl# website# tls# webdev
The 47‑Day SSL/TLS Certificate Era Is ComingThomas

The SSL/TLS ecosystem is heading toward one of its biggest shifts yet. After years of steadily...

The SSL/TLS ecosystem is heading toward one of its biggest shifts yet. After years of steadily shrinking certificate lifetimes, the CA/Browser Forum has approved a phased reduction that will bring public TLS certificates down to a maximum validity of 47 days.
This isn’t just a rumor - it’s now backed by major CAs like DigiCert and GlobalSign, and reporting from BleepingComputer highlights how the timeline is expected to unfold. By 2029, the 47‑day era will be the new normal.

Why Certificate Lifetimes Are Shrinking

Across all sources, the motivations are consistent:

  • Stronger security posture Shorter lifetimes reduce the exposure window if a certificate or private key is compromised.
  • Faster adoption of new standards When cryptographic algorithms or validation rules change, shorter lifetimes ensure the web updates quickly.
  • Automation is now mature ACME has become widely supported, making frequent renewals feasible — even expected. GlobalSign emphasizes this point strongly: the industry is no longer designing around manual renewals. Automation is the baseline assumption.

The Phased Timeline (Across All Sources)

Here’s the consolidated timeline based on DigiCert, GlobalSign

SSL/TLS Timeline

What GlobalSign Adds to the Conversation

GlobalSign’s article is especially valuable because it focuses on operational readiness, not just policy changes. A few standout points:

  1. This is a business change, not just a technical one Shorter lifetimes affect procurement, compliance, monitoring, and internal processes — not just DevOps pipelines.
  2. Domain validation reuse windows are shrinking too DigiCert notes that domain/IP validation reuse drops from 398 days to 10 days. GlobalSign highlights how this will force organizations to rethink validation workflows.
  3. Special cases and exemptions will exist — but they’re narrow Some enterprise use cases may have transitional exceptions, but they won’t be long‑term escape hatches.
  4. Automation isn’t optional anymore GlobalSign is blunt: organizations that haven’t automated certificate issuance and renewal will struggle to operate in a 47‑day world.

The Bottom Line

The move to 47‑day certificates is part of a broader shift toward a more secure, more automated web. It may feel like a hassle, but it’s ultimately a win for reliability and security. And if it means fewer “our certificate expired” outages, that’s something every developer can celebrate.

If you want to check your expiration date on your blog/website, I have a written a post about a free SSL tool, that I use a lot.