TLS Certificate Validity Period Officially Reduced to 47 Days
As part of our ongoing commitment to keeping you informed and secure, JNR Management Resources Pvt. Ltd., a DigiCert Certified Platinum Elite Partner, would like to bring to your attention a critical update regarding the validity period of TLS/SSL certificates. This change follows a recent decision by the Certificate Authority and Browser Forum (CA/B Forum) and affects all organizations that use digital certificates to secure their online presence.
What’s Changing?
The CA/Browser Forum has officially voted to shorten both the lifetime of TLS certificates and the reuse period for validation data. This phased rollout begins on March 15, 2026, and is designed to enhance internet security by reducing risks associated with outdated or compromised validation information.
The New TLS Certificate Lifetime Schedule
The newly approved ballot targets a maximum certificate validity of 47 days, making automation essential for all organizations. While Google previously advocated for a 90-day maximum, they quickly supported Apple’s proposal once the voting began.
Here’s the rollout schedule:
| Date | Maximum Certificate Lifetime | Maximum Domain Validation Reuse Period |
|---|---|---|
| Until March 15, 2026 | 398 days | 398 days |
| From March 15, 2026 | 200 days | 200 days |
| From March 15, 2027 | 100 days | 100 days |
| From March 15, 2029 | 47 days | 10 days |
Additionally, starting March 15, 2026, validations of Subject Identity Information (SII)—such as company name and other details in OV (Organization Validated) or EV (Extended Validation) certificates—can only be reused for 398 days, down from the previous 825 days. This change does not affect DV (Domain Validated) certificates, which do not include SII.
Why 47 Days?
The 47-day limit may seem unusual, but it’s based on a logical breakdown:
-
200 days: 6 full months (184 days) + half a 30-day month (15 days) + 1 day
-
100 days: 3 full months (92 days) + about a quarter of a 30-day month (7 days) + 1 day
-
47 days: 1 full month (31 days) + half a 30-day month (15 days) + 1 day
Why It Matters
Apple, a key proponent of this ballot, emphasized that shorter certificate lifetimes:
-
Ensure certificate information remains current and trustworthy
-
Reduce reliance on unreliable revocation systems (like CRLs and OCSP)
-
Promote automation, which is now considered essential for secure, scalable certificate management
The ballot argues that shorter lifetimes are necessary for many reasons, the most prominent being this: The information in certificates becomes less trustworthy over time, and only frequent revalidation can maintain digital trust. Additionally, the current revocation systems are not always reliable, so shorter lifetimes help mitigate the risks of compromised certificates.
Clearing Up Confusion About the New Rules
There are two main points of confusion:
-
Timeline Gaps: The rule changes occur in 2026, 2027, and 2029, with a two-year gap between the last two changes.
-
Validation Reuse: By March 15, 2029, certificates will last 47 days, but domain validation can only be reused for 10 days. While manual revalidation is technically possible, it would be highly impractical and likely to cause outages.
A common question from customers is whether more frequent certificate replacements will increase costs. The answer is no—costs are based on annual subscriptions. In fact, once users adopt automation, many choose to replace certificates even more frequently for added security.
Because even the 2027 shift to 100-day certificates will make manual management unsustainable, widespread adoption of automation is expected well before the 2029 deadline.
What Should You Do?
Organizations must prepare to:
-
Implement certificate automation tools like DigiCert Trust Lifecycle Manager to handle renewals efficiently
-
Review existing infrastructure and processes to accommodate shorter certificate cycles
-
Engage with your certificate provider or security partner for planning and support
As your trusted cybersecurity advisor, JNR is here to help you seamlessly transition to this new model. If you require support with automation or certificate management strategy, please don’t hesitate to reach out.
Stay secure,
Team JNR