Navigating the 47-Day SSL/TLS Certificate Validity Era

mooreds1 pts0 comments

A Complete 47-day SSL/TLS Certificate Validity Q&A

-->

GlobalSign Blog

Navigating the 47-Day SSL/TLS Certificate Validity Era: A Complete Q&A Guide for Businesses

Filter Blog Posts

Latest Posts

-->

Latest Posts

Solutions

Certificate Automation

Trusted Identities

Certificate Management

Code Signing

Digital Signatures

Email Security

Internet of Things

Partners

SSL/TLS

Qualified Trust

ACME

Industry

DevOps

Healthcare

Financial

Government

AEC

Energy

Insurance

Automotive

Aerospace

Security News

-->

Search Blog

August 01, 2025

Steven Hall

Over the years, I’ve watched as SSL / TLS certificate validity periods have steadily shortened, each change pushing us toward stronger security practices. Now, with the Certificate Authority/Browser (CA/B) Forum’s latest decision to reduce certificate lifespans to just 47 days by 2029, we’re standing at the edge of another major shift, one that will dramatically change how we manage and maintain certificates moving forward.

Understanding the Change

Timeline and Technical Details

Business Impact

Automation and Solutions

Special Cases and Exemptions

Strategic Readiness

Future Proofing

Understanding the Change

What is the 47 Day Certificate Validity Rule?

Right now, public SSL / TLS certificates max out at 398 days. But in April 2025, Apple’s proposal to reduce this gradually down to 47 days was officially adopted by the CA/B Forum, with all four major browser vendors—Apple, Google, Mozilla, and Microsoft—voting in favor.

This also includes a reduction in the Domain Control Validation (DCV) reuse period, which will drop to just 10 days by March 2029. That means organizations will need to validate domains more frequently tightening the timeline across the entire certificate lifecycle.

Why is This Happening?

It might seem like a lot of hassle just to make certificates expire more often, but there’s a solid reason behind this shift. Here’s why it’s happening:

Reducing the Risk of Compromised Certificates: Longer-lived certificates present a bigger window of vulnerability. If a certificate is compromised, attackers can misuse it for far longer. By shortening certificate validity, the risk of these long-lived certificates being exploited is drastically reduced.

Pushing for Automation: The new rule is also a big nudge toward automation. With certificates expiring so frequently, manual renewals just aren’t going to cut it anymore. This is the CA/B Forum’s way of driving the industry toward more efficient, automated workflows that reduce human error and improve overall security.

Keeping Systems Agile: In the event of a breach or other security concerns, you want your system to respond quickly. Shorter lifespans mean that compromised certificates are cycled out faster, improving the agility of your security posture and minimizing damage.

Getting Ready for a Post-Quantum World: Another reason for the shorter validity periods? The world of cryptography is evolving. With quantum computing on the horizon, we're going to need systems that can rapidly adapt. Frequent renewals give us the flexibility to quickly roll out updates—especially as we prepare for post-quantum cryptography.

Essentially, these changes are all about tightening security and paving the way for automation. While it may feel like a headache for IT teams, the Forum believes that the changes will be a net benefit for internet security and safety.

Timeline and Technical Details

What is the Timeline for the Decrease in SSL/TLS Validity Changes?

The dates for implementation are as follows:

What’s the Difference Between Certificate Lifetime and Domain Validation Reuse?

At first glance, these terms can seem a bit technical, but they’re actually pretty straightforward once you break them down:

Certificate Lifetime refers to how long an SSL/TLS certificate is valid after it’s issued. Right now, certificates can last up to 398 days, but with the upcoming changes, they’ll expire much sooner, down to just 47 days by 2029.

Domain Validation Reuse is about how long a Certificate Authority (CA) can use the same proof that you own or control a domain before it needs to verify it again. Currently, the reuse period can be up to 398 days, but by 2029, that will shrink to just 10 days.

To put it more simply:

The certificate lifetime is about how long your certificate itself is valid.

Domain validation reuse is about how long the CA can rely on your proof of domain ownership before asking you to confirm it again.

By 2029, the 47-day certificate lifespan will mean that your certificate will expire faster, and with the 10-day domain validation reuse period, you’ll need to validate your domain much more often. This is where automation really starts to come into play, doing it manually just won’t be feasible anymore.

Business Impact

How Will This Affect my Organization?

If you manage certificates...

certificate rsquo certificates validity security days

Related Articles