A Complete 47-day SSL/TLS Certificate Validity Q&A
-->
GlobalSign Blog
Navigating the 47-Day SSL/TLS Certificate Validity Era: A Complete Q&A Guide for Businesses
Filter Blog Posts
Latest Posts
-->
Latest Posts
Solutions
Certificate Automation
Trusted Identities
Certificate Management
Code Signing
Digital Signatures
Email Security
Internet of Things
Partners
SSL/TLS
Qualified Trust
ACME
Industry
DevOps
Healthcare
Financial
Government
AEC
Energy
Insurance
Automotive
Aerospace
Security News
-->
Search Blog
August 01, 2025
Steven Hall
Over the years, I’ve watched as SSL / TLS certificate validity periods have steadily shortened, each change pushing us toward stronger security practices. Now, with the Certificate Authority/Browser (CA/B) Forum’s latest decision to reduce certificate lifespans to just 47 days by 2029, we’re standing at the edge of another major shift, one that will dramatically change how we manage and maintain certificates moving forward.
Understanding the Change
Timeline and Technical Details
Business Impact
Automation and Solutions
Special Cases and Exemptions
Strategic Readiness
Future Proofing
Understanding the Change
What is the 47 Day Certificate Validity Rule?
Right now, public SSL / TLS certificates max out at 398 days. But in April 2025, Apple’s proposal to reduce this gradually down to 47 days was officially adopted by the CA/B Forum, with all four major browser vendors—Apple, Google, Mozilla, and Microsoft—voting in favor.
This also includes a reduction in the Domain Control Validation (DCV) reuse period, which will drop to just 10 days by March 2029. That means organizations will need to validate domains more frequently tightening the timeline across the entire certificate lifecycle.
Why is This Happening?
It might seem like a lot of hassle just to make certificates expire more often, but there’s a solid reason behind this shift. Here’s why it’s happening:
Reducing the Risk of Compromised Certificates: Longer-lived certificates present a bigger window of vulnerability. If a certificate is compromised, attackers can misuse it for far longer. By shortening certificate validity, the risk of these long-lived certificates being exploited is drastically reduced.
Pushing for Automation: The new rule is also a big nudge toward automation. With certificates expiring so frequently, manual renewals just aren’t going to cut it anymore. This is the CA/B Forum’s way of driving the industry toward more efficient, automated workflows that reduce human error and improve overall security.
Keeping Systems Agile: In the event of a breach or other security concerns, you want your system to respond quickly. Shorter lifespans mean that compromised certificates are cycled out faster, improving the agility of your security posture and minimizing damage.
Getting Ready for a Post-Quantum World: Another reason for the shorter validity periods? The world of cryptography is evolving. With quantum computing on the horizon, we're going to need systems that can rapidly adapt. Frequent renewals give us the flexibility to quickly roll out updates—especially as we prepare for post-quantum cryptography.
Essentially, these changes are all about tightening security and paving the way for automation. While it may feel like a headache for IT teams, the Forum believes that the changes will be a net benefit for internet security and safety.
Timeline and Technical Details
What is the Timeline for the Decrease in SSL/TLS Validity Changes?
The dates for implementation are as follows:
What’s the Difference Between Certificate Lifetime and Domain Validation Reuse?
At first glance, these terms can seem a bit technical, but they’re actually pretty straightforward once you break them down:
Certificate Lifetime refers to how long an SSL/TLS certificate is valid after it’s issued. Right now, certificates can last up to 398 days, but with the upcoming changes, they’ll expire much sooner, down to just 47 days by 2029.
Domain Validation Reuse is about how long a Certificate Authority (CA) can use the same proof that you own or control a domain before it needs to verify it again. Currently, the reuse period can be up to 398 days, but by 2029, that will shrink to just 10 days.
To put it more simply:
The certificate lifetime is about how long your certificate itself is valid.
Domain validation reuse is about how long the CA can rely on your proof of domain ownership before asking you to confirm it again.
By 2029, the 47-day certificate lifespan will mean that your certificate will expire faster, and with the 10-day domain validation reuse period, you’ll need to validate your domain much more often. This is where automation really starts to come into play, doing it manually just won’t be feasible anymore.
Business Impact
How Will This Affect my Organization?
If you manage certificates...