In a significant move to enhance digital security, the CA/Browser Forum has voted to reduce the maximum lifespan of new SSL and TLS certificates to just 47 days by March 15, 2029. Currently, these certificates can be valid for up to 398 days, but the change aims to minimize the risks associated with compromised certificates. The proposal, which received unanimous support from major tech companies like Apple, Google, Microsoft, and Mozilla, is part of a phased approach. Certificates issued after March 15, 2026, will need to be renewed every 200 days, decreasing to 100 days by March 15, 2027. The initiative is backed by Tim Callan, chief compliance officer at Sectigo, who emphasizes the need for agility and proactive risk management in today’s evolving threat landscape. This decision underscores a collective commitment to improving trust and security across the digital ecosystem.
Why do we care?
Certificate management must be automated and integrated. Manual renewal processes—or even semi-automated ones—won’t scale to a 47-day cycle. MSPs need to deploy or resell solutions that monitor and auto-renew certs, validate deployment, and alert in real time. The good news is you have four years to get ready. This is an early warning—the clock is ticking on long-lived certs.
